Re: geli overhead?
On Tue, Feb 5, 2013 at 12:44 AM, kpn...@pobox.com wrote: On Mon, Feb 04, 2013 at 10:25:33PM +0100, mhca12 wrote: On Mon, Feb 4, 2013 at 10:19 PM, dweimer dwei...@dweimer.net wrote: On 02/04/2013 2:56 pm, mhca12 wrote: Is there some overhead associated with the geli setup as described earlier? Where did 21G from the 148G go? As suggested in dan.me.uk geli install guide I used geli init -a HMAC/SHA256 and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. Did you use the -a option when doing the geli init? -a aalgoEnable data integrity verification (authenti- cation) using the given algorithm. This will reduce size of available storage and also reduce speed. For example, when using 4096 bytes sector and HMAC/SHA256 algorithm, 89% of the original provider storage will be avail- able for use. Currently supported algorithms are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. If the option is not given, there will be no authentication, only encryption. The recom- mended algorithm is HMAC/SHA256. Yes I did (see above). Do I have to init the volume again to skip authentication? Probably yes. Does skipping authentication also remove the requirement of zeroing the whole eli disk for the checksums? Yes. Thanks I'll reinstall the machine then. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: vfs.root.mountfrom with geli
On Mon, Feb 4, 2013 at 1:06 PM, Fabian Keil wrote: mhca12 mhc...@gmail.com wrote: I followed the guide on dan.me.uk to install FreeBSD 9.1 amd64 but I get always stuck because the kernel doesn't ask me for the passphrase and doesn't find the /dev/gpt/enc.eli where enc is the label I gave to the root partition. I also tried with /dev/ada0p3.eli without success. Tried the following two /boot/loader.config variations: 1: geom_eli_load=YES vfs.root.mountfrom=”ufs:/dev/gpt/enc.eli” 2: geom_eli_load=YES vfs.root.mountfrom=”ufs:/dev/ada0p3.eli” I can geli attach /dev/gpt/enc or /dev/ada0p3 successfully from the livecd. Can you advise me what I might have done wrong or what I should try? https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/ This guide doesn't seem to match your configuration. It uses ada0p3.eli for swapping and additionally uses keyfiles. Without knowing your actual configuration it's impossible to give proper advice. You could check with geli list ada0p3 if the boot flag is set, but that's obviously just a wild guess ... Forgot to list my simpler setup: ada0p1 freebsd-boot ada0p2 freebsd-ufs label boot /boot ada0p3 geli freebsd-ufs label enc / Do I have to set the boot flag for any of them? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: vfs.root.mountfrom with geli
On Mon, Feb 4, 2013 at 6:23 PM, Fabian Keil wrote: mhca12 mhc...@gmail.com wrote: On Mon, Feb 4, 2013 at 1:06 PM, Fabian Keil wrote: mhca12 mhc...@gmail.com wrote: I followed the guide on dan.me.uk to install FreeBSD 9.1 amd64 but I get always stuck because the kernel doesn't ask me for the passphrase and doesn't find the /dev/gpt/enc.eli where enc is the label I gave to the root partition. I also tried with /dev/ada0p3.eli without success. Tried the following two /boot/loader.config variations: 1: geom_eli_load=YES vfs.root.mountfrom=”ufs:/dev/gpt/enc.eli” 2: geom_eli_load=YES vfs.root.mountfrom=”ufs:/dev/ada0p3.eli” I can geli attach /dev/gpt/enc or /dev/ada0p3 successfully from the livecd. Can you advise me what I might have done wrong or what I should try? https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/ This guide doesn't seem to match your configuration. It uses ada0p3.eli for swapping and additionally uses keyfiles. Without knowing your actual configuration it's impossible to give proper advice. You could check with geli list ada0p3 if the boot flag is set, but that's obviously just a wild guess ... Forgot to list my simpler setup: ada0p1 freebsd-boot ada0p2 freebsd-ufs label boot /boot ada0p3 geli freebsd-ufs label enc / Do I have to set the boot flag for any of them? The geli passphrase is only requested at boot time for providers that have the geli boot flag set (for details see geli(8)). If it isn't set on ada0p3 it would explain the described behaviour. Fabian thanks a lot. Maybe I forgot -b during geli init but a geli configure -b /dev/ada0p3.eli fixed it. FreeBSD is so well structured and logical in this regard and hopefully in many others as I heard. In vfs.root.mountfrom only ”ufs:/dev/ada0p3.eli” works and the /dev/gpt/enc.eli doesn't. Is it supposed to? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
which pkg repository with 9.1
I have just installed 9.1 amd64 on a test machine and wanted to install rsync. Is pkgng the right choice and if so is there a handy guide how to get started or should I use pkg_add -r? Is this any different for i386? It used to be that there's no i386 pkgng repository. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: which pkg repository with 9.1
On Mon, Feb 4, 2013 at 7:31 PM, mhca12 wrote: I have just installed 9.1 amd64 on a test machine and wanted to install rsync. Is pkgng the right choice and if so is there a handy guide how to get started or should I use pkg_add -r? Is this any different for i386? It used to be that there's no i386 pkgng repository. I ran pkg and it fetched and setup pkgng. That was easy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: which pkg repository with 9.1
On Mon, Feb 4, 2013 at 8:03 PM, Steve O'Hara-Smith st...@sohara.org wrote: On Mon, 4 Feb 2013 19:53:40 +0100 mhca12 mhc...@gmail.com wrote: On Mon, Feb 4, 2013 at 7:48 PM, mhca12 wrote: On Mon, Feb 4, 2013 at 7:31 PM, mhca12 wrote: I have just installed 9.1 amd64 on a test machine and wanted to install rsync. Is pkgng the right choice and if so is there a handy guide how to get started or should I use pkg_add -r? Is this any different for i386? It used to be that there's no i386 pkgng repository. I ran pkg and it fetched and setup pkgng. That was easy. Is it possible that the November 2012 security incident means there's still no installable packaged via pkg-install? I was going to install rsync. I believe it is still the case that there is no official package repository. I've gone to using poudriere to maintain a local pkgng repository. Once set up (not too hard) it's remarkably painless. To get started for the moment can't I also use pkg_add -r rsync? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: geli overhead?
On Mon, Feb 4, 2013 at 10:19 PM, dweimer dwei...@dweimer.net wrote: On 02/04/2013 2:56 pm, mhca12 wrote: Is there some overhead associated with the geli setup as described earlier? $ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ada0p3.eli127G6.9G119G 5%/ devfs 1.0k1.0k 0B 100%/dev /dev/gpt/boot 991M339M642M35%/bootdir $ gpart show = 34 312581741 ada0 GPT (149G) 34128 1 freebsd-boot (64k) 1622097152 2 freebsd-ufs (1.0G) 2097314 310484461 3 freebsd-ufs (148G) Where did 21G from the 148G go? As suggested in dan.me.uk geli install guide I used geli init -a HMAC/SHA256 and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Did you use the -a option when doing the geli init? -a aalgoEnable data integrity verification (authenti- cation) using the given algorithm. This will reduce size of available storage and also reduce speed. For example, when using 4096 bytes sector and HMAC/SHA256 algorithm, 89% of the original provider storage will be avail- able for use. Currently supported algorithms are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. If the option is not given, there will be no authentication, only encryption. The recom- mended algorithm is HMAC/SHA256. Yes I did (see above). Do I have to init the volume again to skip authentication? Does skipping authentication also remove the requirement of zeroing the whole eli disk for the checksums? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Sun, Dec 30, 2012 at 10:30 AM, David Demelier demelier.da...@gmail.com wrote: On 28/12/2012 12:29, mhca12 wrote: On Fri, Dec 28, 2012 at 9:33 AM, C-S c...@c-s.li wrote: Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. That would still keep the boot partition as unencrypted, wouldn't it? Yes, how would you use your key if the partition is encrypted too? Either use a usb medium with the key on it or enter a passphrase at an interactive prompt. I got interested in this because of OpenBSD's recent bootloader changes gaining the ability to avoid an unencrypted boot partition. On Linux systems I have a similar complaint that I have to use an initramfs (initial ramdisk with the required userland to unlock the crypt volume). All the crypto code is in the linux kernel and presumably also in the BSD's case but the volume header detection/verification/unlock code seems to be relegated to userland tools which make it impossible to have just the kernel do the required work. Ultimately I'm gathering the state of art in the BSDs and Linux to get a full picture. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Fri, Dec 28, 2012 at 9:33 AM, C-S c...@c-s.li wrote: Date: Wed, 26 Dec 2012 22:18:40 +0100 From: mhca12 mhc...@gmail.com To: freebsd-questions@freebsd.org Subject: Re: Full disk encryption without root partition Message-ID: cahuomant1m446mvy85r7epbd2pw14gdl03fpmvpmksrr_ep...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. Yes, it is possible to use GELI for example to do a full disk encryption and have the boot partition on a USB stick. That would still keep the boot partition as unencrypted, wouldn't it? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Full disk encryption without root partition
Are there any plans or is there already support for full disk encryption without the need for a root partition? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Full disk encryption without root partition
On Wed, Dec 26, 2012 at 10:17 PM, mhca12 mhc...@gmail.com wrote: Are there any plans or is there already support for full disk encryption without the need for a root partition? I am sorry, I certainly meant to write boot partition. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org