FreeBSD root on a geli-encrypted ZFS pool
Matthew X. Economou
xenophon at irtnog.org
Sat Mar 10 16:09:42 UTC 2012
Fabian Keil writes:
> In my opinion protecting ZFS's default checksums (which cover
> non-metadata as well) with GEOM_ELI is sufficient. I don't see
> what advantage additionally enabling GEOM_ELI's integrity
> verification offers.
I follow you now. You may be right about the extra integrity checking
being redundant with ZFS.
> Anyway, it's a test without file system so the ZFS overhead isn't
> measured. I wasn't entirely clear about it, but my assumption was
> that the ZFS overhead might be big enough to make the difference
> between HMAC/MD5 and HMAC/SHA256 a lot less significant.
Got it. That also makes sense. I'll put this on my to-test list.
> I'm currently using sector sizes between 512 and 8192 so I'm not
> actually expecting technical problems, it's just not clear to me
> how much the sector size matters and if 4096 is actually the best
> value when using ZFS.
The geli(8) manual page claims that larger sector sizes lower the
overhead of GEOM_ELI keying initialization and encryption/decryption
steps by requiring fewer of these compute-intensive setup operations
per block. You can think of it in terms of networking, where it makes
sense to re-use a TCP connection for multiple HTTP requests, because
for small HTTP requests, the bandwidth and latency caused by the TCP
three-way handshake overshadows the actual data transfer.
--
I FIGHT FOR THE USERS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4961 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120310/902c0c26/smime.bin
More information about the freebsd-stable
mailing list