Vinny wrote:
Hello Everyone,
I've been reading up on geli and decided I wanted to
use data authentication. This involves the -a switch
on the geli init command. Here's what I've found:
= No authentication (the disk size is correct @ 152G):
the/root{143}~# geli init da1
Enter new passphrase:
Reenter new passphrase:
the/root{144}~# geli attach da1
Enter passphrase:
the/root{147}~# newfs -N /dev/da1.eli
/dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment
size 2048
using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
160, 376512, 752864, ...
the/root{148}~# newfs /dev/da1.eli
/dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment
size 2048
using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
160, 376512, 752864, 1129216, ...
= With hmac/sha256 (or any other) authentication
(small disk size 76G) :
the/root{156}~# geli init -a hmac/sha256 /dev/da1
Enter new passphrase:
Reenter new passphrase:
the/root{157}~#
the/root{157}~# geli attach da1
Enter passphrase:
the/root{159}~# newfs -N /dev/da1.eli
/dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment
size 2048
using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
160, 376512, 752864, ...
the/root{163}~# newfs /dev/da1.eli
/dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment
size 2048
using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
newfs: can't read old UFS1 superblock: read error from block device:
Invalid argument
the/root{110}~# geli dump -v da1
Metadata on da1:
magic: GEOM::ELI
version: 3
flags: 0x10
ealgo: AES-CBC
keylen: 128
aalgo: HMAC/SHA256
provsize: 160041885696
sectorsize: 512
keys: 0x01
iterations: 67988
Salt: c708
=
Anyone know what I've done wrong? Is data authentication working?
Thanks!
Vinny
The eventual solution came from Richard Farr. A few messages
later and here are the results:
I Wrote;
Hello Richard and Thanks! Sorry for my late reply.
Richard Farr wrote:
Hi Vinny,
I had this problem as well when trying to initialize a disk with GELI
and create slices/partitions/fs.
I believe the problem is caused because the sectors of the newly
created GELI device still have whatever data was in them from before
the geli init command. Therefore, this data will not have the
correct mac inside of the sector. It looks like newfs attempts to
read from some of these unitialized sectors - causing a mac
verification failure and a read error. In order to fix this, simply
attach the geli device and then use dd to write to all sectors of the
device to update them with a correct mac:
dd if=/dev/random of=/dev/da1.eli bs=8M
Once this is done newfs should work like a charm.
Indeed, the results follow, but I'd like to thank you
for the solution. I had habitually used dd on
the raw device before running geli init. That is,
dd if=/dev/random of=/dev/da2 bs=1m
Then I'd init it. Didn't occur to me that doing
that on the da2.eli device would solve the newfs
problem.
The results:
the/root{120}~# geli init -a hmac/sha256 /dev/da2
Enter new passphrase:
Reenter new passphrase:
the/root{121}~# geli attach da2
Enter passphrase:
the/root{122}~# newfs -N /dev/da2.eli
/dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
160, 376512, 752864, 1129216, 1505568, 1881920
the/root{123}~# newfs /dev/da2.eli
/dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
newfs: can't read old UFS1 superblock: read error from block device:
Invalid argument
the/root{124}~# dd if=/dev/random of=/dev/da2.eli bs=1m
load: 1.15 cmd: dd 96350 [physwr] 0.00u 30.56s 9% 1668k
747+0 records in
746+0 records out
782237696 bytes transferred in 322.992946 secs (2421841 bytes/sec)
dd: /dev/da2.eli: short write on character device
dd: /dev/da2.eli: end of device
977+0 records in
976+1 records out
1024450048 bytes transferred in 422.242968 secs (2426210 bytes/sec)
the/root{125}~# newfs -N /dev/da2.eli
/dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
160, 376512, 752864, 1129216, 1505568, 1881920
the/root{126}~# newfs /dev/da2.eli
/dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment
size 2048
using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
super-block backups (for fsck -b #) at:
160, 376512, 752864, 1129216, 1505568, 1881920
Success!
Vinny