Re: geli overhead?
On Mon, 4 Feb 2013 22:25:33 +0100 mhca12 wrote: Does skipping authentication also remove the requirement of zeroing the whole eli disk for the checksums? It's not needed from that perspective, but it makes it a bit more secure if you do that or fill the device from /dev/random before the init. If you don't do either an attacker may be able infer information about the layout of files. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli overhead?
On Tue, Feb 5, 2013 at 12:44 AM, kpn...@pobox.com wrote: On Mon, Feb 04, 2013 at 10:25:33PM +0100, mhca12 wrote: On Mon, Feb 4, 2013 at 10:19 PM, dweimer dwei...@dweimer.net wrote: On 02/04/2013 2:56 pm, mhca12 wrote: Is there some overhead associated with the geli setup as described earlier? Where did 21G from the 148G go? As suggested in dan.me.uk geli install guide I used geli init -a HMAC/SHA256 and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. Did you use the -a option when doing the geli init? -a aalgoEnable data integrity verification (authenti- cation) using the given algorithm. This will reduce size of available storage and also reduce speed. For example, when using 4096 bytes sector and HMAC/SHA256 algorithm, 89% of the original provider storage will be avail- able for use. Currently supported algorithms are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. If the option is not given, there will be no authentication, only encryption. The recom- mended algorithm is HMAC/SHA256. Yes I did (see above). Do I have to init the volume again to skip authentication? Probably yes. Does skipping authentication also remove the requirement of zeroing the whole eli disk for the checksums? Yes. Thanks I'll reinstall the machine then. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli overhead?
On 02/04/2013 2:56 pm, mhca12 wrote: Is there some overhead associated with the geli setup as described earlier? $ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ada0p3.eli127G6.9G119G 5%/ devfs 1.0k1.0k 0B 100%/dev /dev/gpt/boot 991M339M642M35%/bootdir $ gpart show = 34 312581741 ada0 GPT (149G) 34128 1 freebsd-boot (64k) 1622097152 2 freebsd-ufs (1.0G) 2097314 310484461 3 freebsd-ufs (148G) Where did 21G from the 148G go? As suggested in dan.me.uk geli install guide I used geli init -a HMAC/SHA256 and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Did you use the -a option when doing the geli init? -a aalgoEnable data integrity verification (authenti- cation) using the given algorithm. This will reduce size of available storage and also reduce speed. For example, when using 4096 bytes sector and HMAC/SHA256 algorithm, 89% of the original provider storage will be avail- able for use. Currently supported algorithms are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. If the option is not given, there will be no authentication, only encryption. The recom- mended algorithm is HMAC/SHA256. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli overhead?
On Mon, Feb 4, 2013 at 10:19 PM, dweimer dwei...@dweimer.net wrote: On 02/04/2013 2:56 pm, mhca12 wrote: Is there some overhead associated with the geli setup as described earlier? $ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ada0p3.eli127G6.9G119G 5%/ devfs 1.0k1.0k 0B 100%/dev /dev/gpt/boot 991M339M642M35%/bootdir $ gpart show = 34 312581741 ada0 GPT (149G) 34128 1 freebsd-boot (64k) 1622097152 2 freebsd-ufs (1.0G) 2097314 310484461 3 freebsd-ufs (148G) Where did 21G from the 148G go? As suggested in dan.me.uk geli install guide I used geli init -a HMAC/SHA256 and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Did you use the -a option when doing the geli init? -a aalgoEnable data integrity verification (authenti- cation) using the given algorithm. This will reduce size of available storage and also reduce speed. For example, when using 4096 bytes sector and HMAC/SHA256 algorithm, 89% of the original provider storage will be avail- able for use. Currently supported algorithms are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. If the option is not given, there will be no authentication, only encryption. The recom- mended algorithm is HMAC/SHA256. Yes I did (see above). Do I have to init the volume again to skip authentication? Does skipping authentication also remove the requirement of zeroing the whole eli disk for the checksums? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org