On Sun, Oct 16, 2011 at 11:36:29PM -0700, Garrett Cooper wrote: > On Oct 16, 2011, at 7:51 PM, Xin LI wrote: > > Backward compatibility is that you can expect what's working in an > > older version of FreeBSD would just work on a newer version of > > FreeBSD, not the contrary. > > Perhaps, but the fact that this behavior / set of expectations isn't > clearly called out in the geli manpage -- and the fact that there isn't > official versioning (or at the very least this isn't made a requirement based > on the output above) associated with each metadata format is a fault that > should be corrected. Otherwise, how can GELI be considered a viable mechanism > for encrypting data across multiple versions of FreeBSD? It seems very > shortsighted that there isn't at least a mechanism for reading -- or at least > rejecting -- later versions of metadata in an intuitive manner. > FWIW if you use geli from an earlier version of FreeBSD (hint: chroot, > jail), it does the right thing.. which means that I have a means for > producing encrypted images on later versions of FreeBSD now. Nevertheless, > having to do so in such a roundabout manner is annoying and I'm sure I won't > be the only one that will be affected by this.
Thanks Garrett for your comments. As Xin pointed out, GELI is not forward compatible, but is backwards compatible (GELI device initialized on FreeBSD 8.x will work on 9.x, but this may not be true the other way around). I fully agree that the error should be clear on what exactly is wrong and this should be easy to fix. As for creating forward compatible GELI devices I think the right thing to do here is to: 1. Add '-V version' option for 'geli init' subcommand that will allow to specify metadata version number to use for device initialization. 2. Add 'geli upgrade [-V <version>] [prov ...]' subcommand that will allow to upgrade the given device to the given metadata version (only to version greater than the current version). If only providers are given, but -V is not given, metadata of the given providers would be upgraded to the latest version support by the system. Would be nice if backup file could be also upgraded. If 'geli upgrade' is executed with no arguments a list of supported metadata versions with some short description and ideally FreeBSD versions that can run the given GELI version will be printed. 3. Print metadata version in 'geli list' output. Would that work for you? -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://yomoli.com
pgpHsH7JujU2T.pgp
Description: PGP signature
