Re: Congratulations on the stable/13 release!

2021-04-30 Thread Peter Libassi 


> 1 maj 2021 kl. 03:45 skrev Andrew Reilly :
> 
> In case anyone's interested: for this morning's software maintenance 
> session (at home) I upgraded my file server from FreeBSD stable/12
> to the recently released stable/13.  From source, in-place, on a
> running, on-line system.  Despite the fact that the entire ZFS
> subsystem has been replaced, which is what caused me to wait for a
> couple of weeks, the upgrade appears to have been flawless.  Not a
> single error message on boot-up.  Not a single failed service.
> Everything is working perfectly.  Zpool status told me that I should
> upgrade the pools, and did: that turned on a dozen or so new features
> that I'm sure are useful.  Total downtime about a minute or so:
> just the time it took to reboot.  I'm amazed.  Good on the FreeBSD
> developers and (especially) the release engineers!
> 
> cd /usr/src
> git switch stable/13
> make -s -j20 buildworld kernel
> mergemaster -p
> make -s installworld
> mergemaster -U
> shutdown -r now
> 
> zpool status
> zpool upgrade backup20
> zpool upgrade root
> zpool upgrade tank
> 
> Done!
> 
> Cheers,
> 
> Andrew
> 
> ___
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org”


I will join the gratulations! I’ve also upgraded my home NAS server and my 
remote Backup server without a glitch including upgrade of ZFS and all ports. 
Everything now works as on 12.2.

freebsd-update -r 13.0-RELEASE upgrade
/usr/sbin/freebsd-update install
fix /etc/ssh/sshd_conf
shutdown -r now
freebsd-update install
pkg-static install -f pkg
pkg bootstrap -f
pkg update
pkg upgrade
freebsd-update install
shutdown -r now
zpool upgrade nas

Excellent work from the FreeBSD team!

Thanks
Peter

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: zfs native encryption best practices on RELENG13

2021-04-23 Thread Peter Libassi 


> 23 apr. 2021 kl. 23:23 skrev Xin Li via freebsd-stable 
> :
> 
> On 4/23/21 13:53, mike tancsa wrote:
>> Starting to play around with RELENG_13 and wanted explore ZFS' built in
>> encryption.  Is there a best practices doc on how to do full disk
>> encryption anywhere thats not GELI based  ?  There are lots for 
>> GELI,
>> but nothing I could find for native OpenZFS encryption on FreeBSD
>> 
>> i.e box gets rebooted, enter in passphrase to allow it to boot kind of
>> thing from the boot loader prompt ?
> 
> I think loader do not support the native OpenZFS encryption yet.
> However, you can encrypt non-essential datasets on a boot pool (that is,
> if com.datto:encryption is "active" AND the bootfs dataset is not
> encrypted, you can still boot from it).
> 
> BTW instead of entering passphrase at loader prompt, if / is not
> encrypted, it's also possible to do something like
> https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html
> .
> 
> Personally I'd probably go with GELI (or other kind of full disk
> encryption) regardless if OpenZFS's native encryption is used because my
> primary goal is to be able to just throw away bad disks when they are
> removed from production [1].  If the pool is not fully encrypted, there
> is always a chance that the sensitive data have landed some unencrypted
> datasets and never gets fully overwritten.
> 
> [1] Also keep in mind: https://xkcd.com/538/
> 
> Cheers,
> 
Yes, I’ve come to the same conclusion. This should be used on a data-zpool and 
not on the system-pool (zroot). Encryption is per dataset. Also if found that 
if the encrypted dataset is not mounted of some reason you will be writing to 
the parent unencrypted dataset.. At least it works for encrypted thumb_drive, i 
just posted this quick guide 
https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/
 


/Peter
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"