geli authentication algo and newfs weirdness

Vinny vinny-mail-01+f.questions20081120 at palaceofretention.ca
Sun Dec 7 11:59:46 PST 2008 

Vinny wrote:
> Hello Everyone,
> 
> I've been reading up on geli and decided I wanted to
> use data authentication.  This involves the -a switch
> on the geli init command.  Here's what I've found:
> 
> ===== No authentication (the disk size is correct @ 152G):
> 
> the/root{143}~# geli init  da1
> Enter new passphrase:
> Reenter new passphrase:
> the/root{144}~# geli attach da1
> Enter passphrase:
> 
> the/root{147}~# newfs -N /dev/da1.eli
> /dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment 
> size 2048
>         using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
>  160, 376512, 752864, ...
> 
> the/root{148}~# newfs  /dev/da1.eli
> /dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment 
> size 2048
>         using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
>  160, 376512, 752864, 1129216, ...
> 
> ===== With hmac/sha256 (or any other) authentication
> (small disk size 76G) :
> 
> the/root{156}~# geli init -a hmac/sha256 /dev/da1
> Enter new passphrase:
> Reenter new passphrase:
> the/root{157}~#
> the/root{157}~# geli attach da1
> Enter passphrase:
> 
> the/root{159}~# newfs -N /dev/da1.eli
> /dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment 
> size 2048
>         using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
>  160, 376512, 752864, ...
> 
> the/root{163}~# newfs  /dev/da1.eli
> /dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment 
> size 2048
>         using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> newfs: can't read old UFS1 superblock: read error from block device: 
> Invalid argument
> 
> the/root{110}~# geli dump -v da1
> Metadata on da1:
>      magic: GEOM::ELI
>    version: 3
>      flags: 0x10
>      ealgo: AES-CBC
>     keylen: 128
>      aalgo: HMAC/SHA256
>   provsize: 160041885696
> sectorsize: 512
>       keys: 0x01
> iterations: 67988
>       Salt: c708
> 
> =====
> 
> Anyone know what I've done wrong?  Is data authentication working?
> 
> Thanks!
> Vinny
> 
> 

The eventual solution came from Richard Farr.  A few messages
later and here are the results:

I Wrote;

 > Hello Richard and Thanks!  Sorry for my late reply.
 >
 > Richard Farr wrote:
 >> Hi Vinny,
 >>
 >> I had this problem as well when trying to initialize a disk with GELI
 >> and create slices/partitions/fs.
 >>
 >> I believe the problem is caused because the sectors of the newly
 >> created GELI device still have whatever data was in them from before
 >> the "geli init" command.  Therefore, this data will not have the
 >> correct mac inside of the sector.  It looks like newfs attempts to
 >> read from some of these unitialized sectors - causing a mac
 >> verification failure and a read error.  In order to fix this, simply
 >> attach the geli device and then use dd to write to all sectors of the
 >> device to update them with a correct mac:
 >>
 >> dd if=/dev/random of=/dev/da1.eli bs=8M
 >>
 >> Once this is done newfs should work like a charm.


 > Indeed, the results follow, but I'd like to thank you
 > for the solution.  I had habitually used dd on
 > the raw device before running geli init.  That is,
 >
 > dd if=/dev/random of=/dev/da2 bs=1m
 >
 > Then I'd init it.  Didn't occur to me that doing
 > that on the da2.eli device would solve the newfs
 > problem.
 >
 > The results:
 >
 > the/root{120}~# geli init -a hmac/sha256 /dev/da2
 > Enter new passphrase:
 > Reenter new passphrase:
 > the/root{121}~# geli attach da2
 > Enter passphrase:
 >
 > the/root{122}~# newfs -N /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > super-block backups (for fsck -b #) at:
 >   160, 376512, 752864, 1129216, 1505568, 1881920
 >
 > the/root{123}~# newfs  /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > newfs: can't read old UFS1 superblock: read error from block device:
 > Invalid argument
 >
 >
 >
 > the/root{124}~# dd if=/dev/random of=/dev/da2.eli bs=1m
 > load: 1.15  cmd: dd 96350 [physwr] 0.00u 30.56s 9% 1668k
 > 747+0 records in
 > 746+0 records out
 > 782237696 bytes transferred in 322.992946 secs (2421841 bytes/sec)
 > dd: /dev/da2.eli: short write on character device
 > dd: /dev/da2.eli: end of device
 > 977+0 records in
 > 976+1 records out
 > 1024450048 bytes transferred in 422.242968 secs (2426210 bytes/sec)
 >
 >
 > the/root{125}~# newfs -N /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > super-block backups (for fsck -b #) at:
 >   160, 376512, 752864, 1129216, 1505568, 1881920
 >
 > the/root{126}~# newfs /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > super-block backups (for fsck -b #) at:
 >   160, 376512, 752864, 1129216, 1505568, 1881920
 >
 > Success!
 >
 > Vinny

More information about the freebsd-questions mailing list