Re: geli overhead?
On 02/04/2013 2:56 pm, mhca12 wrote: Is there some overhead associated with the geli setup as described earlier? $ df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/ada0p3.eli127G6.9G119G 5%/ devfs 1.0k1.0k 0B 100%/dev /dev/gpt/boot 991M339M642M35%/bootdir $ gpart show => 34 312581741 ada0 GPT (149G) 34128 1 freebsd-boot (64k) 1622097152 2 freebsd-ufs (1.0G) 2097314 310484461 3 freebsd-ufs (148G) Where did 21G from the 148G go? As suggested in dan.me.uk geli install guide I used geli init -a HMAC/SHA256 and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Did you use the -a option when doing the geli init? -a aalgoEnable data integrity verification (authenti- cation) using the given algorithm. This will reduce size of available storage and also reduce speed. For example, when using 4096 bytes sector and HMAC/SHA256 algorithm, 89% of the original provider storage will be avail- able for use. Currently supported algorithms are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. If the option is not given, there will be no authentication, only encryption. The recom- mended algorithm is HMAC/SHA256. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: geli overhead?
On Mon, Feb 4, 2013 at 10:19 PM, dweimer wrote: > On 02/04/2013 2:56 pm, mhca12 wrote: >> >> Is there some overhead associated with the geli setup as >> described earlier? >> >> $ df -h >> Filesystem SizeUsed Avail Capacity Mounted on >> /dev/ada0p3.eli127G6.9G119G 5%/ >> devfs 1.0k1.0k 0B 100%/dev >> /dev/gpt/boot 991M339M642M35%/bootdir >> $ gpart show >> => 34 312581741 ada0 GPT (149G) >> 34128 1 freebsd-boot (64k) >> 1622097152 2 freebsd-ufs (1.0G) >> 2097314 310484461 3 freebsd-ufs (148G) >> >> Where did 21G from the 148G go? >> >> As suggested in dan.me.uk geli install guide I used geli init -a >> HMAC/SHA256 >> and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscr...@freebsd.org" > > > Did you use the -a option when doing the geli init? > > > -a aalgoEnable data integrity verification (authenti- > cation) using the given algorithm. This > will > reduce size of available storage and also > reduce speed. For example, when using 4096 > bytes sector and HMAC/SHA256 algorithm, 89% > of > the original provider storage will be avail- > able for use. Currently supported > algorithms > are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, > HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. > If > the option is not given, there will be no > authentication, only encryption. The recom- > mended algorithm is HMAC/SHA256. Yes I did (see above). Do I have to init the volume again to skip authentication? Does skipping authentication also remove the requirement of zeroing the whole eli disk for the checksums? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: geli overhead?
On Tue, Feb 5, 2013 at 12:44 AM, wrote: > On Mon, Feb 04, 2013 at 10:25:33PM +0100, mhca12 wrote: >> On Mon, Feb 4, 2013 at 10:19 PM, dweimer wrote: >> > On 02/04/2013 2:56 pm, mhca12 wrote: >> >> >> >> Is there some overhead associated with the geli setup as >> >> described earlier? > >> >> Where did 21G from the 148G go? >> >> >> >> As suggested in dan.me.uk geli install guide I used geli init -a >> >> HMAC/SHA256 >> >> and also ran dd if=/dev/zero of=/dev/gpt/enc.eli across the eli volume. > >> > Did you use the -a option when doing the geli init? >> > >> > >> > -a aalgoEnable data integrity verification (authenti- >> > cation) using the given algorithm. This >> > will >> > reduce size of available storage and also >> > reduce speed. For example, when using 4096 >> > bytes sector and HMAC/SHA256 algorithm, 89% >> > of >> > the original provider storage will be >> > avail- >> > able for use. Currently supported >> > algorithms >> > are: HMAC/MD5, HMAC/SHA1, HMAC/RIPEMD160, >> > HMAC/SHA256, HMAC/SHA384 and HMAC/SHA512. >> > If >> > the option is not given, there will be no >> > authentication, only encryption. The >> > recom- >> > mended algorithm is HMAC/SHA256. >> >> Yes I did (see above). >> >> Do I have to init the volume again to skip authentication? > > Probably yes. > >> Does skipping authentication also remove the requirement of >> zeroing the whole eli disk for the checksums? > > Yes. Thanks I'll reinstall the machine then. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: geli overhead?
On Mon, 4 Feb 2013 22:25:33 +0100 mhca12 wrote: > Does skipping authentication also remove the requirement of > zeroing the whole eli disk for the checksums? It's not needed from that perspective, but it makes it a bit more secure if you do that or fill the device from /dev/random before the init. If you don't do either an attacker may be able infer information about the layout of files. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"