geli authentication algo and newfs weirdness
Vinny
vinny-mail-01+f.questions20081120 at palaceofretention.ca
Sun Dec 7 11:59:46 PST 2008
Vinny wrote:
> Hello Everyone,
>
> I've been reading up on geli and decided I wanted to
> use data authentication. This involves the -a switch
> on the geli init command. Here's what I've found:
>
> ===== No authentication (the disk size is correct @ 152G):
>
> the/root{143}~# geli init da1
> Enter new passphrase:
> Reenter new passphrase:
> the/root{144}~# geli attach da1
> Enter passphrase:
>
> the/root{147}~# newfs -N /dev/da1.eli
> /dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment
> size 2048
> using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
> 160, 376512, 752864, ...
>
> the/root{148}~# newfs /dev/da1.eli
> /dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment
> size 2048
> using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
> 160, 376512, 752864, 1129216, ...
>
> ===== With hmac/sha256 (or any other) authentication
> (small disk size 76G) :
>
> the/root{156}~# geli init -a hmac/sha256 /dev/da1
> Enter new passphrase:
> Reenter new passphrase:
> the/root{157}~#
> the/root{157}~# geli attach da1
> Enter passphrase:
>
> the/root{159}~# newfs -N /dev/da1.eli
> /dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment
> size 2048
> using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
> 160, 376512, 752864, ...
>
> the/root{163}~# newfs /dev/da1.eli
> /dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment
> size 2048
> using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> newfs: can't read old UFS1 superblock: read error from block device:
> Invalid argument
>
> the/root{110}~# geli dump -v da1
> Metadata on da1:
> magic: GEOM::ELI
> version: 3
> flags: 0x10
> ealgo: AES-CBC
> keylen: 128
> aalgo: HMAC/SHA256
> provsize: 160041885696
> sectorsize: 512
> keys: 0x01
> iterations: 67988
> Salt: c708
>
> =====
>
> Anyone know what I've done wrong? Is data authentication working?
>
> Thanks!
> Vinny
>
>
The eventual solution came from Richard Farr. A few messages
later and here are the results:
I Wrote;
> Hello Richard and Thanks! Sorry for my late reply.
>
> Richard Farr wrote:
>> Hi Vinny,
>>
>> I had this problem as well when trying to initialize a disk with GELI
>> and create slices/partitions/fs.
>>
>> I believe the problem is caused because the sectors of the newly
>> created GELI device still have whatever data was in them from before
>> the "geli init" command. Therefore, this data will not have the
>> correct mac inside of the sector. It looks like newfs attempts to
>> read from some of these unitialized sectors - causing a mac
>> verification failure and a read error. In order to fix this, simply
>> attach the geli device and then use dd to write to all sectors of the
>> device to update them with a correct mac:
>>
>> dd if=/dev/random of=/dev/da1.eli bs=8M
>>
>> Once this is done newfs should work like a charm.
> Indeed, the results follow, but I'd like to thank you
> for the solution. I had habitually used dd on
> the raw device before running geli init. That is,
>
> dd if=/dev/random of=/dev/da2 bs=1m
>
> Then I'd init it. Didn't occur to me that doing
> that on the da2.eli device would solve the newfs
> problem.
>
> The results:
>
> the/root{120}~# geli init -a hmac/sha256 /dev/da2
> Enter new passphrase:
> Reenter new passphrase:
> the/root{121}~# geli attach da2
> Enter passphrase:
>
> the/root{122}~# newfs -N /dev/da2.eli
> /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
> using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
> 160, 376512, 752864, 1129216, 1505568, 1881920
>
> the/root{123}~# newfs /dev/da2.eli
> /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
> using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> newfs: can't read old UFS1 superblock: read error from block device:
> Invalid argument
>
>
>
> the/root{124}~# dd if=/dev/random of=/dev/da2.eli bs=1m
> load: 1.15 cmd: dd 96350 [physwr] 0.00u 30.56s 9% 1668k
> 747+0 records in
> 746+0 records out
> 782237696 bytes transferred in 322.992946 secs (2421841 bytes/sec)
> dd: /dev/da2.eli: short write on character device
> dd: /dev/da2.eli: end of device
> 977+0 records in
> 976+1 records out
> 1024450048 bytes transferred in 422.242968 secs (2426210 bytes/sec)
>
>
> the/root{125}~# newfs -N /dev/da2.eli
> /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
> using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
> 160, 376512, 752864, 1129216, 1505568, 1881920
>
> the/root{126}~# newfs /dev/da2.eli
> /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
> using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
> 160, 376512, 752864, 1129216, 1505568, 1881920
>
> Success!
>
> Vinny
More information about the freebsd-questions
mailing list