Any options on crypt+zfs ?

Andriy Bakay andriy at irbisnet.com
Tue Apr 17 11:55:54 UTC 2012 

On 2012-04-16, at 22:54, "Nenhum_de_Nos" <matheus at eternamente.info> wrote:

> 
> On Mon, April 16, 2012 22:42, Andriy Bakay wrote:
>> On 2012-04-16, at 13:32 , Nenhum_de_Nos wrote:
>> 
>>> hail,
>>> 
>>> I have a soekris running an atom and 2GB RAM and ZFS using 7 drives, small capacity though, to
>>> test and study if I can make my home server this box and this way. It will be a simple server,
>>> three users tops.
>>> 
>>> I followed the handbook and made the geli step on the disks:
>>> 
>>> Geom name: label/zfs1.eli
>>> State: ACTIVE
>>> EncryptionAlgorithm: AES-XTS
>>> KeyLength: 128
>>> Crypto: software
>>> UsedKey: 0
>>> Flags: NONE
>>> KeysAllocated: 38
>>> KeysTotal: 38
>>> Providers:
>>> 1. Name: label/zfs1.eli
>>> Mediasize: 160041881600 (149G)
>>> Sectorsize: 4096
>>> Mode: r1w1e1
>>> Consumers:
>>> 1. Name: label/zfs1
>>> Mediasize: 160041885184 (149G)
>>> Sectorsize: 512
>>> Mode: r1w1e1
>>> 
>>> 
>>> all disks are this way (just 4 disks are on geli zfs).
>>> 
>>> would it be faster, if I had geli over zfs, and not the other way (as is now) ?
>>> 
>>> my performance is too low (I know the hardware is not that much, but I compared it to a friend's
>>> arm based AP-Router gadget and my setup is when much equal. I have 1.6 GHz Atom and 2GB ram, he
>>> has not half this ... I know can't compare arm and x86 clock for clock ...)
>>> 
>>> I'll try to run geli on single disk, to see how much ZFS is impacting on performance, but, is
>>> there any other way around ? All I want is RAID5, and FreeBSD has not developed RAID5 from GEOM
>>> (AFAIK) since a long time. ZFS is the way people go in recent years.
>>> 
>>> suggestions are welcome, just want to upgrade my old 8.0 BETA3 using geom mirror/stripe to a
>>> newer
>>> approach that would be supported by FreeBSD.
>>> 
>>> I have an external enclosure for 4 SATA disks (port multiplier included) using 4 disks, another
>>> port multiplier 5x1 using now 3 disks, and:
>>> 
>>> ahci1 at pci0:13:0:0:    class=0x010601 card=0x10601b21 chip=0x06121b21 rev=0x01 hdr=0x00
>>> vendor     = 'ASMedia Technology Inc.'
>>> class      = mass storage
>>> subclass   = SATA
>>> 
>>> with two eSATA to the Port Multipliers.
>>> 
>>> thanks,
>>> 
>>> matheus
>>> 
>>> machine:
>>> ACPI Error: A valid RSDP was not found (20110527/tbxfroot-237)
>>> Copyright (c) 1992-2012 The FreeBSD Project.
>>> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
>>> The Regents of the University of California. All rights reserved.
>>> FreeBSD is a registered trademark of The FreeBSD Foundation.
>>> FreeBSD 9.0-RELEASE #0: Wed Apr 11 13:04:15 BRT 2012
>>> root at macgyver:/usr/obj/usr/src/sys/net6501-amd64 amd64
>>> ACPI Error: A valid RSDP was not found (20110527/tbxfroot-237)
>>> CPU: Genuine Intel(R) CPU        @ 1.60GHz (1600.04-MHz K8-class CPU)
>>> Origin = "GenuineIntel"  Id = 0x20661  Family = 6  Model = 26  Stepping = 1
>>> Features=0xbfe9fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
>>> Features2=0x40e3bd<SSE3,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE>
>>> AMD Features=0x20100800<SYSCALL,NX,LM>
>>> AMD Features2=0x1<LAHF>
>>> TSC: P-state invariant, performance statistics
>>> real memory  = 2147352576 (2047 MB)
>>> avail memory = 2046488576 (1951 MB)
>>> MPTable: <Soekris  net6501     >
>>> Event timer "LAPIC" quality 400
>>> FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
>>> FreeBSD/SMP: 1 package(s) x 1 core(s) x 2 HTT threads
>>> cpu0 (BSP): APIC ID:  0
>>> cpu1 (AP/HT): APIC ID:  1
>>> ioapic0: Assuming intbase of 0
>>> ioapic0 <Version 2.0> irqs 0-23 on motherboard
>>> kbd0 at kbdmux0
>>> ACPI Error: A valid RSDP was not found (20110527/tbxfroot-237)
>>> ACPI: Table initialisation failed: AE_NOT_FOUND
>>> ACPI: Try disabling either ACPI or apic support.
>>> cryptosoft0: <software crypto> on motherboard
>>> 
>>> --
>>> We will call you Cygnus,
>>> The God of balance you shall be
>>> 
>>> A: Because it messes up the order in which people normally read text.
>>> Q: Why is top-posting such a bad thing?
>>> 
>>> http://en.wikipedia.org/wiki/Posting_style
>>> _______________________________________________
>>> freebsd-stable at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>> 
>> The ideal solution will be ZFS with crypto support, but unfortunately this is only available on
>> Oracle Sun 5.11 for now.
>> 
>> The GELI is very good, but it is mostly for single device/file image encryption. Each new GELI
>> device in the ZFS mirror/RAIDZ configuration will add extra overhead.
>> 
>> GELI on top of ZFS volume/file-backed will be even worse.
>> 
>> You could consider PEFS from ports on top of any ZFS pool. PEFS is a kernel level stacked
>> cryptographic filesystem for FreeBSD:
>> 
>> http://www.freshports.org/sysutils/pefs-kmod/
>> http://wiki.freebsd.org/PEFS
>> https://github.com/glk/pefs
>> 
>> P.S. ZFS RAIDZ1/RAIDZ2 pool is more sophisticated solution than RAID5/RAID6.
> 
> Thanks Andriy, I'll read about it. Can I consider this PEFS so stable as GELI ?
> 
> thanks,
> 
> matheus
> 
> -- 
> We will call you Cygnus,
> The God of balance you shall be
> 
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> 
> http://en.wikipedia.org/wiki/Posting_style
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

I cannot guarantee you it has same stability as GELI. PEFS is younger than GELI and less used. But I am using it on daily basis and did not have any problems so far.

I guess question about PEFS stability is more for Gleb Kurtsou.

More information about the freebsd-stable mailing list