Re: swap on encrypted softraid, performance penalty?
I think you will find that hibernate doesn’t work with this setup if you try it. I found this write-up explaining a little better: http://undeadly.org/cgi?action=articlesid=20131112031806 Seems double-encrypted swap or dual swap partitions is the way to go if you want hibernate to work and don’t want to recompile the kernel. I’ll start by trying out the double-encrypted swap, since I won’t be running heavy loads on this machine and only have a 128gb ssd in it. Nope. I have fully working hibernate on T430 with swap on softraid volume as b partition and swap encryption disabled. There's only a partition on physical drive: $ disklabel sd1 (physical drive) #size offset fstype [fsize bsize cpg] a:468856961 64RAID c:4688621280 unused $ disklabel sd2 (softraid volume) #size offset fstype [fsize bsize cpg] a: 2097152 64 4.2BSD 2048 163841 # / b: 33427536 2097216swap # none c:4688564330 unused d: 41940640 35524768 4.2BSD 2048 163841 # /var e: 4192960 77465408 4.2BSD 2048 163841 # /usr f: 2088448 81658368 4.2BSD 2048 163841 # /usr/X11R6 g: 20964832 83746816 4.2BSD 2048 163841 # /usr/local h:364129280104711680 4.2BSD 4096 327681 # /home System is default 5.7 stable without kernel reconfiguration. J.
Re: swap on encrypted softraid, performance penalty?
On 21 May 2015, at 08:48, Ján Kušniar jkusn...@gmail.com wrote: I think you will find that hibernate doesn’t work with this setup if you try it. I found this write-up explaining a little better: http://undeadly.org/cgi?action=articlesid=20131112031806 Seems double-encrypted swap or dual swap partitions is the way to go if you want hibernate to work and don’t want to recompile the kernel. I’ll start by trying out the double-encrypted swap, since I won’t be running heavy loads on this machine and only have a 128gb ssd in it. Nope. I have fully working hibernate on T430 with swap on softraid volume as b partition and swap encryption disabled. There's only a partition on physical drive: That’s what we have already confirmed to work. It’s when you put the swap on another partition than the encrypted disk containing the / partition that it won’t work without reconfiguration.
Re: swap on encrypted softraid, performance penalty?
I think you will find that hibernate doesn’t work with this setup if you try it. I found this write-up explaining a little better: http://undeadly.org/cgi?action=articlesid=20131112031806 Seems double-encrypted swap or dual swap partitions is the way to go if you want hibernate to work and don’t want to recompile the kernel. I’ll start by trying out the double-encrypted swap, since I won’t be running heavy loads on this machine and only have a 128gb ssd in it. On 19 May 2015, at 21:48, Jonathan Thornburg jth...@astro.indiana.edu wrote: In message http://marc.info/?l=openbsd-miscm=143181492518064w=1, Fredrik Alm fred () fredrikalm ! com asked about how to handle the swap partition when using whole-disk softraid crypto: I've seen a few 'whole disk encryption' tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypte d partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue? In message http://marc.info/?l=openbsd-miscm=143185210923894w=1 dan mclaughlin thevoid () openmailbox ! org replied | where did you see those tutorials? i attempted this some months ago | (6-7) and it was not possible to have swap outside of the softraid. | i forget what the exact problem was (i should have taken better | notes...). i believe the system wouldn't boot properly, and i think | it was because the swap partition was on a different device. and later in the thread | honestly though, i don't know how the guy who wrote that tutorial got it to | work (if in fact he did...), i remember it being completely unworkable. i | think the only option was to rebuild the kernel, as you said, which really | isn't an option. In message http://marc.info/?l=openbsd-miscm=143185991125110w=1 Stefan Sperling stsp () stsp ! name replied # Keeping swap on the same disk as the root filesystem has some advantages. # For historical reasons the system expects this in various places. # More things (such as hibernate) will work out of the box this way. I can report that as of 5.6-stable/amd64, it *is* possible to have swap outside the softraid. I currently have this configuration running on a pair of Thinkpad T60 laptops, and I'm fully satisfied with it. Suspend-to-RAM works fine; I haven't tried hibernate. For this configuration, I wanted separate softraid-crypto partitions for the OS and for /home. After a few false starts, I settled on the following layout: sd0 --- | a-+- (sd1) softraid crypt, size = 44.5G || a = root 256M || d = root2 256M || e = var2G || f = var2 2G || g = usr20G || h = usr2 20G | -+- | b swap 6G | j-+- (sd2) softraid crypt, size = all remaining space || j = home --- -+- sd0 is the physical disk It has 3 openbsd-partitions: a, b, and j sd1 is a softraid-crypto disk living inside sd0a. sd1 stores all the OS partitions, currently 5.6-stable in my case. [In my case there are actually two sets of OS partitions, but at present I'm only using the a,e,g root,var,usr ones. The others are for future use as backups, in the same manner as I described (for an older OpenBSD system) in message http://marc.info/?l=openbsd-miscm=125989140407974w=1.] sd0b is the swap partition sd2 is a softraid-crypto disk living inside sd0j. sd2 stores /home. Setting this up took a little bit of tinkering, but with a bit of guru help on misc@, everything eventually came out fine. Here's the procedure that eventually worked, starting from a new-from-the-factory disk just installed into the laptop: boot from 5.6 CD Install, Upgrade, Autoinstall, or Shell -- Shell maybe type some commands so the kernel can accumulate some of entropy in the random-number subsystem fill the entire disk with random data: (-- later steps won't leak which blocks have been written) (for a big disk this may take a day or so) # dd if=/dev/arandom bs=1m of=/dev/sd0c I want to use the entire physical disk for OpenBSD: # fdisk -i sd0 # disklabel -E sd0 add partitions a @ offset 128, size 93323264 sectors, type RAID bsize 6G, type swap jsize everything-left, type RAID now create softraid-crypto sd1 # cd /dev # sh MAKEDEV sd1 # dd if=/dev/zero bs=1m count=1 of=/dev/rsd0a # bioctl -c C -r 10 -l /dev/sd0a softraid0 (enter sd1 passphrase) (enter sd1 passphrase again) This passphrase will be the boot passphrase. Now install OpenBSD from the CD into sd1, # install creating whatever OS partitions you like (in my case a,d,e,f,g,h, as noted above). Two notes about this: First, put the root partition (a) at offset 256
Re: swap on encrypted softraid, performance penalty?
In message http://marc.info/?l=openbsd-miscm=143181492518064w=1, Fredrik Alm fred () fredrikalm ! com asked about how to handle the swap partition when using whole-disk softraid crypto: I've seen a few 'whole disk encryption' tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypte d partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue? In message http://marc.info/?l=openbsd-miscm=143185210923894w=1 dan mclaughlin thevoid () openmailbox ! org replied | where did you see those tutorials? i attempted this some months ago | (6-7) and it was not possible to have swap outside of the softraid. | i forget what the exact problem was (i should have taken better | notes...). i believe the system wouldn't boot properly, and i think | it was because the swap partition was on a different device. and later in the thread | honestly though, i don't know how the guy who wrote that tutorial got it to | work (if in fact he did...), i remember it being completely unworkable. i | think the only option was to rebuild the kernel, as you said, which really | isn't an option. In message http://marc.info/?l=openbsd-miscm=143185991125110w=1 Stefan Sperling stsp () stsp ! name replied # Keeping swap on the same disk as the root filesystem has some advantages. # For historical reasons the system expects this in various places. # More things (such as hibernate) will work out of the box this way. I can report that as of 5.6-stable/amd64, it *is* possible to have swap outside the softraid. I currently have this configuration running on a pair of Thinkpad T60 laptops, and I'm fully satisfied with it. Suspend-to-RAM works fine; I haven't tried hibernate. For this configuration, I wanted separate softraid-crypto partitions for the OS and for /home. After a few false starts, I settled on the following layout: sd0 --- | a-+- (sd1) softraid crypt, size = 44.5G || a = root 256M || d = root2 256M || e = var2G || f = var2 2G || g = usr20G || h = usr2 20G | -+- | b swap 6G | j-+- (sd2) softraid crypt, size = all remaining space || j = home --- -+- sd0 is the physical disk It has 3 openbsd-partitions: a, b, and j sd1 is a softraid-crypto disk living inside sd0a. sd1 stores all the OS partitions, currently 5.6-stable in my case. [In my case there are actually two sets of OS partitions, but at present I'm only using the a,e,g root,var,usr ones. The others are for future use as backups, in the same manner as I described (for an older OpenBSD system) in message http://marc.info/?l=openbsd-miscm=125989140407974w=1.] sd0b is the swap partition sd2 is a softraid-crypto disk living inside sd0j. sd2 stores /home. Setting this up took a little bit of tinkering, but with a bit of guru help on misc@, everything eventually came out fine. Here's the procedure that eventually worked, starting from a new-from-the-factory disk just installed into the laptop: boot from 5.6 CD Install, Upgrade, Autoinstall, or Shell -- Shell maybe type some commands so the kernel can accumulate some of entropy in the random-number subsystem fill the entire disk with random data: (-- later steps won't leak which blocks have been written) (for a big disk this may take a day or so) # dd if=/dev/arandom bs=1m of=/dev/sd0c I want to use the entire physical disk for OpenBSD: # fdisk -i sd0 # disklabel -E sd0 add partitions a @ offset 128, size 93323264 sectors, type RAID bsize 6G, type swap jsize everything-left, type RAID now create softraid-crypto sd1 # cd /dev # sh MAKEDEV sd1 # dd if=/dev/zero bs=1m count=1 of=/dev/rsd0a # bioctl -c C -r 10 -l /dev/sd0a softraid0 (enter sd1 passphrase) (enter sd1 passphrase again) This passphrase will be the boot passphrase. Now install OpenBSD from the CD into sd1, # install creating whatever OS partitions you like (in my case a,d,e,f,g,h, as noted above). Two notes about this: First, put the root partition (a) at offset 256 as per Christian Weisgerber naddy () mips ! inka ! de's super-helpful comments in message http://marc.info/?l=openbsd-miscm=141519757707447w=1. And second, don't create either a swap partition (b) or a /home partition at this point -- those will come later. Now boot the newly-installed system (this will require entering the boot passphrase, of course). Once it's up and running, edit /etc/fstab to add sd0b as a swap partition: /dev/sd0b none swap sw 0 0 Now setup up softraid-crypto sd2 to hold /home # dd if=/dev/zero bs=1m count=1 of=/dev/rsd0j # bioctl -c C -r 10 -l
Re: swap on encrypted softraid, performance penalty?
dan mclaughlin wrote: in the end i found it easier to just leave it all in the softraid for other reasons in addition to that issue. as to swap encryption, i disabled it. no need to encrypt twice. to the contrary, uvm swap encrypt does a better job of expiring keys and making old data unrecoverable.
Re: swap on encrypted softraid, performance penalty?
On Sun, 17 May 2015 00:20:52 +0200 Fredrik Alm f...@fredrikalm.com wrote: Iâve seen a few âwhole disk encryptionâ tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypted partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue? where did you see those tutorials? i attempted this some months ago (6-7) and it was not possible to have swap outside of the softraid. i forget what the exact problem was (i should have taken better notes...). i believe the system wouldn't boot properly, and i think it was because the swap partition was on a different device. in the end i found it easier to just leave it all in the softraid for other reasons in addition to that issue. as to swap encryption, i disabled it. no need to encrypt twice.
Re: swap on encrypted softraid, performance penalty?
On Sun, 17 May 2015 04:32:38 +0200 Fredrik Alm f...@fredrikalm.com wrote: On 17 May 2015, at 02:19, dan mclaughlin thev...@openmailbox.org wrote: On Sun, 17 May 2015 00:20:52 +0200 Fredrik Alm f...@fredrikalm.com wrote: Iâve seen a few âwhole disk encryptionâ tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypted partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue? where did you see those tutorials? i attempted this some months ago (6-7) and it was not possible to have swap outside of the softraid. i forget what the exact problem was (i should have taken better notes...). i believe the system wouldn't boot properly, and i think it was because the swap partition was on a different device. in the end i found it easier to just leave it all in the softraid for other reasons in addition to that issue. as to swap encryption, i disabled it. no need to encrypt twice. this is one of the tutorials: http://www.bsdnow.tv/tutorials/fde I found that when the swap was on a different disk (sd0b instead of sd1b, with the rest of the encrypted stuff on the softraid disk) the swap had to be added manually to the fstab and even then it was defaulted to /dev/sdb1 (which didnât exist) for coredumps. I assume this is why ZZZ exited with a kernel error instead of hibernating when I tried this disklayout. When I just put everything including the swap on the softraid it worked like normal. Iâll just try turning the swap encryption off then, seems easier than reconfiguring the kernel to use sd0b as a dump device. your experience sounds familiar (swap expected to be on the root device), and is why i think i abandoned the attempt to put the swap outside the partition. though i am pretty sure i had problems right at boot, not later. honestly though, i don't know how the guy who wrote that tutorial got it to work (if in fact he did...), i remember it being completely unworkable. i think the only option was to rebuild the kernel, as you said, which really isn't an option. also, those instructions to use bioctl will only work if there has not been a softraid crypto volume there previously. you need to clear the space via dd as in bioctl(8).
Re: swap on encrypted softraid, performance penalty?
On Sun, May 17, 2015 at 12:20:52AM +0200, Fredrik Alm wrote: I’ve seen a few “whole disk encryption” tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypted partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue? Keeping swap on the same disk as the root filesystem has some advantages. For historical reasons the system expects this in various places. More things (such as hibernate) will work out of the box this way. If you really need to avoid a performance hit on swap, I'd recommend you add more memory to the system. If that's impossible you can add an additional swap device from a non-softraid part of the disk and set it to higher priority than the default swap. See swapctl(8). The result could look something like this (sd2 being softraid crypto, sd0 being a swap partiion on bare disk): $ swapctl Device 512-blocks UsedAvail Capacity Priority /dev/sd0b 167831360 16783136 0%0 /dev/sd2b 167718630 16771863 0%1 Total 335549990 33554999 0% Also note that if your machine suports aesni (AES cpu feature flag in dmesg) softraid encryption overhead is reduced by hardware crypto.
Re: swap on encrypted softraid, performance penalty?
Yep, since my last mail I set it up on one big encrypted softraid, including the swap and turned off swap encryption and created a key disk on usb instead of a password. Works a lot better now and ZZZ works as it should (any ZZZ issues left are most likely related to not yet supported hardware). On 17 May 2015, at 08:08, dan mclaughlin thev...@openmailbox.org wrote: On Sun, 17 May 2015 04:32:38 +0200 Fredrik Alm f...@fredrikalm.com wrote: On 17 May 2015, at 02:19, dan mclaughlin thev...@openmailbox.org wrote: On Sun, 17 May 2015 00:20:52 +0200 Fredrik Alm f...@fredrikalm.com wrote: I’ve seen a few “whole disk encryption” tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypted partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue? where did you see those tutorials? i attempted this some months ago (6-7) and it was not possible to have swap outside of the softraid. i forget what the exact problem was (i should have taken better notes...). i believe the system wouldn't boot properly, and i think it was because the swap partition was on a different device. in the end i found it easier to just leave it all in the softraid for other reasons in addition to that issue. as to swap encryption, i disabled it. no need to encrypt twice. this is one of the tutorials: http://www.bsdnow.tv/tutorials/fde I found that when the swap was on a different disk (sd0b instead of sd1b, with the rest of the encrypted stuff on the softraid disk) the swap had to be added manually to the fstab and even then it was defaulted to /dev/sdb1 (which didn’t exist) for coredumps. I assume this is why ZZZ exited with a kernel error instead of hibernating when I tried this disklayout. When I just put everything including the swap on the softraid it worked like normal. I’ll just try turning the swap encryption off then, seems easier than reconfiguring the kernel to use sd0b as a dump device. your experience sounds familiar (swap expected to be on the root device), and is why i think i abandoned the attempt to put the swap outside the partition. though i am pretty sure i had problems right at boot, not later. honestly though, i don't know how the guy who wrote that tutorial got it to work (if in fact he did...), i remember it being completely unworkable. i think the only option was to rebuild the kernel, as you said, which really isn't an option. also, those instructions to use bioctl will only work if there has not been a softraid crypto volume there previously. you need to clear the space via dd as in bioctl(8).
Re: swap on encrypted softraid, performance penalty?
On 17 May 2015, at 02:19, dan mclaughlin thev...@openmailbox.org wrote: On Sun, 17 May 2015 00:20:52 +0200 Fredrik Alm f...@fredrikalm.com wrote: I’ve seen a few “whole disk encryption” tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypted partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue? where did you see those tutorials? i attempted this some months ago (6-7) and it was not possible to have swap outside of the softraid. i forget what the exact problem was (i should have taken better notes...). i believe the system wouldn't boot properly, and i think it was because the swap partition was on a different device. in the end i found it easier to just leave it all in the softraid for other reasons in addition to that issue. as to swap encryption, i disabled it. no need to encrypt twice. this is one of the tutorials: http://www.bsdnow.tv/tutorials/fde I found that when the swap was on a different disk (sd0b instead of sd1b, with the rest of the encrypted stuff on the softraid disk) the swap had to be added manually to the fstab and even then it was defaulted to /dev/sdb1 (which didn’t exist) for coredumps. I assume this is why ZZZ exited with a kernel error instead of hibernating when I tried this disklayout. When I just put everything including the swap on the softraid it worked like normal. I’ll just try turning the swap encryption off then, seems easier than reconfiguring the kernel to use sd0b as a dump device.
swap on encrypted softraid, performance penalty?
I’ve seen a few “whole disk encryption” tutorials which puts the swap outside of the partition used for the softraid encryption, since openbsd already encrypts the swap partition anyway. I assume that by putting the swap inside the encrypted partition, there will be performance penalties because encryption is done twice? could someone shed a little light on this issue?