GELI devices produced with 9.0+ fail when mounted on 8.2, etc?

Garrett Cooper yanegomi at gmail.com
Wed Oct 19 15:30:42 UTC 2011 

On Mon, Oct 17, 2011 at 11:29 AM, Garrett Cooper <yanegomi at gmail.com> wrote:
> On Mon, Oct 17, 2011 at 6:29 AM, Pawel Jakub Dawidek <pjd at freebsd.org> wrote:
>> On Sun, Oct 16, 2011 at 11:36:29PM -0700, Garrett Cooper wrote:
>>> On Oct 16, 2011, at 7:51 PM, Xin LI wrote:
>>> > Backward compatibility is that you can expect what's working in an
>>> > older version of FreeBSD would just work on a newer version of
>>> > FreeBSD, not the contrary.
>>>
>>>       Perhaps, but the fact that this behavior / set of expectations isn't clearly called out in the geli manpage -- and the fact that there isn't official versioning (or at the very least this isn't made a requirement based on the output above) associated with each metadata format is a fault that should be corrected. Otherwise, how can GELI be considered a viable mechanism for encrypting data across multiple versions of FreeBSD? It seems very shortsighted that there isn't at least a mechanism for reading -- or at least rejecting -- later versions of metadata in an intuitive manner.
>>>       FWIW if you use geli from an earlier version of FreeBSD (hint: chroot, jail), it does the right thing.. which means that I have a means for producing encrypted images on later versions of FreeBSD now. Nevertheless, having to do so in such a roundabout manner is annoying and I'm sure I won't be the only one that will be affected by this.
>>
>> Thanks Garrett for your comments.
>>
>> As Xin pointed out, GELI is not forward compatible, but is backwards
>> compatible (GELI device initialized on FreeBSD 8.x will work on 9.x, but
>> this may not be true the other way around).
>>
>> I fully agree that the error should be clear on what exactly is wrong
>> and this should be easy to fix.
>>
>> As for creating forward compatible GELI devices I think the right thing
>> to do here is to:
>> 1. Add '-V version' option for 'geli init' subcommand that will allow to
>>   specify metadata version number to use for device initialization.
>> 2. Add 'geli upgrade [-V <version>] [prov ...]' subcommand that will
>>   allow to upgrade the given device to the given metadata version (only
>>   to version greater than the current version). If only providers are
>>   given, but -V is not given, metadata of the given providers would be
>>   upgraded to the latest version support by the system.
>>   Would be nice if backup file could be also upgraded.
>>   If 'geli upgrade' is executed with no arguments a list of supported
>>   metadata versions with some short description and ideally FreeBSD
>>   versions that can run the given GELI version will be printed.
>> 3. Print metadata version in 'geli list' output.
>
>    That suggestion's brilliant. All that we need now is a short blurb
> in the manpage describing when which metadata was implemented when and
> I think this will be on the right track.

Patch added for the first suggestion here:
http://www.freebsd.org/cgi/query-pr.cgi?pr=161807 . I'll see if I can
get around to the other two sometime before the end of the week.
Thanks,
-Garrett

More information about the freebsd-geom mailing list