On Fri, Dec 12, 2025 at 04:38:36PM -0700, [email protected] wrote:
> I have been using vnconfig encrypted filesystems since they were
> introduced, and am concerned that maybe I have been doing something
> wrong all these years.
>
> Yes, I am considering using softraid crypto, but I am still curious
> about this issue.
>
> I have been creating the filesystem on 'c' instead of on 'a'. To be
> specific, the following is a version of what I have been using:
>
> #!/bin/sh
> # Create a vnconfig encrypted filesystem,
> # using ffs, and on vnd1c
> doas dd if=/dev/zero of=efsc bs=1m count=1
> doas vnconfig -K 1000 -S salt -v /dev/vnd1c efsc
> doas newfs /dev/rvnd1c
> # Need this before attempting do mount
> doas vnconfig -u vnd1
>
> which creates the encrypted filesystem that I have been using for over
> a decade, which is mounted with:
>
> #!/bin/sh
> doas vnconfig -S salt -K 1000 /dev/vnd1c efsc
> doas mount /dev/vnd1c fsc
>
> My question is this. Should I instead have created the filesystem with:
>
> #!/bin/sh
> # Create a vnconfig encrypted filesystem,
> # using disklabel, and on vnd2a
> doas dd if=/dev/zero of=efsa bs=1m count=1
> doas vnconfig -K 1000 -S salt -v /dev/vnd2c efsa
> echo 'a a\n\n\n\nw\nq\n' | doas disklabel -E vnd2
> doas newfs /dev/rvnd2a
> # Need this before attempting do mount
> doas vnconfig -u vnd2
>
> which mounts using:
>
> #!/bin/sh
> doas vnconfig -S salt -K 1000 /dev/vnd2c efsa
> doas mount /dev/vnd2a fsa
>
> Both seem to work fine. Which one is correct?
>
> If one is wrong (which would probably be the one that I have been
> using), then what are the problems that occur as a result of using the
> wrong one?
>
> Thanks
>
Ah, I now have read your question more carefully. Do not create a
filesystem on c. One scenario that wil hurt: if things go wrong and
your primary superblock is broken fsck will not have the redundant
information in the disklabel to reconstruct the location of the
alternate superblocks.
-Otto
