On Sat, Dec 13, 2025 at 09:57:14AM +0100, Otto Moerbeek wrote: > On Fri, Dec 12, 2025 at 04:38:36PM -0700, [email protected] wrote: > > > I have been using vnconfig encrypted filesystems since they were > > introduced, and am concerned that maybe I have been doing something > > wrong all these years. > > > > Yes, I am considering using softraid crypto, but I am still curious > > about this issue. > > > > I have been creating the filesystem on 'c' instead of on 'a'. To be > > specific, the following is a version of what I have been using: > > > > #!/bin/sh > > # Create a vnconfig encrypted filesystem, > > # using ffs, and on vnd1c > > doas dd if=/dev/zero of=efsc bs=1m count=1 > > doas vnconfig -K 1000 -S salt -v /dev/vnd1c efsc > > doas newfs /dev/rvnd1c > > # Need this before attempting do mount > > doas vnconfig -u vnd1 > > > > which creates the encrypted filesystem that I have been using for over > > a decade, which is mounted with: > > > > #!/bin/sh > > doas vnconfig -S salt -K 1000 /dev/vnd1c efsc > > doas mount /dev/vnd1c fsc > > > > My question is this. Should I instead have created the filesystem with: > > > > #!/bin/sh > > # Create a vnconfig encrypted filesystem, > > # using disklabel, and on vnd2a > > doas dd if=/dev/zero of=efsa bs=1m count=1 > > doas vnconfig -K 1000 -S salt -v /dev/vnd2c efsa > > echo 'a a\n\n\n\nw\nq\n' | doas disklabel -E vnd2 > > doas newfs /dev/rvnd2a > > # Need this before attempting do mount > > doas vnconfig -u vnd2 > > > > which mounts using: > > > > #!/bin/sh > > doas vnconfig -S salt -K 1000 /dev/vnd2c efsa > > doas mount /dev/vnd2a fsa > > > > Both seem to work fine. Which one is correct? > > > > If one is wrong (which would probably be the one that I have been > > using), then what are the problems that occur as a result of using the > > wrong one? > > > > Thanks > > > > Ah, I now have read your question more carefully. Do not create a > filesystem on c. One scenario that wil hurt: if things go wrong and > your primary superblock is broken fsck will not have the redundant > information in the disklabel to reconstruct the location of the > alternate superblocks. > > -Otto
Thank you for your reply. I'll recreate encrypted vnconfig filesystems with an 'a' partition. I was led to this question because I had been unable to run fsck on encrypted filesystems after a power failure. For many years fsck worked fine recovering such filesystems. Then a few years ago it stopped working, as you have described. Maybe OpenBSD changed, or maybe I was just lucky during those initial years. Fortunately, I had good backups and was able to recreate the filesystems after the power failures. In the course of thinking about the problem, I was led to notice my failure to run disklabel, and suspect that that might be the problem. And it appears that it was. I've still got the broken encrypted filesystems, and it would be of interest to resurrect them if I could. Does anyone know whether there any way to attempt to recover a vnconfig encrypted filesystem if the primary superblock is broken due to having used 'c' instead of creating 'a' using disklabel? If not, I'll free up some space by getting rid of the saved ones.
