geli - is it better to partition then encrypt, or vice versa ?
Pete French
petefrench at ingresso.co.uk
Sun Apr 18 07:21:11 UTC 2021
On 17/04/2021 21:06, Alan Somers wrote:
> The answer depends on why you want to partition in the first place.
> What do you intend to store on those disks besides ZFS? If the answer
> is nothing, then don't bother partitioning; just write ZFS over GELI
> over the whole disk.
Well, actually thats exactly why I asked the question, because after
having done it I thought "why have I bothered partitioning this?" -
after all, I would not have done so if they were not encrypted!
I think I got into the habit of always partitioning discs, back when
using them raw was called "dangerously dedicated" - but that was, umm, a
while ago shall we say ;-) Since ZFS arrived I havent used anything
else, and when using ZFS I use the whole drive if I can. So yeah, was
kind of looking at my own behaviour and doing a double take here...
> (Also, it's worth asking why you want GELI, now that FreeBSD 13 supports
> ZFS native crypto. ZFS native crypto on RAIDZ has substantially better
> write performance than RAIDZ on GELI. However, if you're paranoid, then
> GELI does provide better security; ZFS native crypto is vulnerable to
> some kinds of watermarking attacks.)
Well, am (this week at least) running FreeBSD 12. Plus I havent native
ZFS encryption yet, and theres always a tendency to 'go with what you
know well' when setting something up. I just use striping and mirroring,
no raidz, but if it will improve the write performance, and if it
requires a password during boot like geli does, then I will look into it
when I get everything upgraded to 13. Hadnt even considered that, so
thanks for the reminder - need to explore all the new stiuff in OpenZFS
I guess!
-pete.
More information about the freebsd-stable
mailing list