FreeBSD root on a geli-encrypted ZFS pool
Fabian Keil
freebsd-listen at fabiankeil.de
Wed Mar 7 17:01:51 UTC 2012
"xenophon\\+freebsd" <xenophon+freebsd at irtnog.org> wrote:
> I have posted revised instructions for installing FreeBSD to an
> encrypted ZFS pool on my blog:
>
> https://web.irtnog.org/~xenophon/blog/revised-freebsd-root-zfs-geli
>
> The entire procedure is documented in a way suitable for scripting. I
> would be very interested in the community's feedback.
It's not clear to me why you enable geli integrity verification.
Given that it is single-sector-based it seems inferior to ZFS's
integrity checks in every way and could actually prevent ZFS from
properly detecting (and depending on the pool layout correcting)
checksum errors itself.
I'm also wondering if you actually benchmarked the difference
between HMAC/MD5 and HMAC/SHA256. Unless the difference can
be easily measured, I'd probably stick with the recommendation.
I would also be interested in benchmarks that show that geli(8)'s
recommendation to increase geli's block size to 4096 bytes makes
sense for ZFS. Is anyone aware of any?
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120307/b81e0eab/signature.pgp
More information about the freebsd-stable
mailing list