Discussion:
Striped mirror raid10
(too old to reply)
Bernt Hansson
2016-06-01 11:00:32 UTC
Permalink
Reply to me and not the list only, since freebsds mailserver is blacklisted.

http://www.sorbs.net/lookup.shtml
Brandon J. Wandersee
2016-06-01 17:57:56 UTC
Permalink
Hello list!
I have set up a striped mirror;
Name Status Components
mirror/gmirror0 COMPLETE ada0 (ACTIVE)
ada1 (ACTIVE)
mirror/gmirror1 COMPLETE ada2 (ACTIVE)
ada3 (ACTIVE)
Name Status Components
stripe/stripe0 UP mirror/gmirror0
mirror/gmirror1
/dev/stripe/stripe0 1.8T 4.0K 1.8T 0% /raid10
Now I want to encrypt it, but is that wise? I mean you can remove a
disk from the mirror, won't that break the encryption? And the
mirror/stripe.
Encrypt the disks/partitions themselves, not the stripe or mirror. You
can then create mirrors of the resulting *.eli device nodes, then create
a stripe from the mirrors. You can unlock the disks/partitions at boot
thus:

1) First, run `geli configure -b <disk/partition>` on each encrypted
disk/partition, so you will be prompted for the passphrase for each
encrypted partition during boot.
2) Next, add the line 'geom_eli_passphrase_prompt=YES' to the file
/boot/loader.conf. This will add a passphrase prompt the boot menu,
allowing you to enter the passphrase for the disks one time only,
before the boot process begins.
--
:: Brandon J. Wandersee
:: ***@gmail.com
:: --------------------------------------------------
:: 'The best design is as little design as possible.'
:: --- Dieter Rams ----------------------------------
David Christensen
2016-06-01 19:45:00 UTC
Permalink
Post by Brandon J. Wandersee
Hello list!
I have set up a striped mirror;
Name Status Components
mirror/gmirror0 COMPLETE ada0 (ACTIVE)
ada1 (ACTIVE)
mirror/gmirror1 COMPLETE ada2 (ACTIVE)
ada3 (ACTIVE)
Name Status Components
stripe/stripe0 UP mirror/gmirror0
mirror/gmirror1
/dev/stripe/stripe0 1.8T 4.0K 1.8T 0% /raid10
Now I want to encrypt it, but is that wise? I mean you can remove a
disk from the mirror, won't that break the encryption? And the
mirror/stripe.
Encrypt the disks/partitions themselves, not the stripe or mirror. You
can then create mirrors of the resulting *.eli device nodes, then create
a stripe from the mirrors. You can unlock the disks/partitions at boot
1) First, run `geli configure -b <disk/partition>` on each encrypted
disk/partition, so you will be prompted for the passphrase for each
encrypted partition during boot.
2) Next, add the line 'geom_eli_passphrase_prompt=YES' to the file
/boot/loader.conf. This will add a passphrase prompt the boot menu,
allowing you to enter the passphrase for the disks one time only,
before the boot process begins.
I would think that you would want to encrypt one virtual device, rather
than two physical devices, so that the CPU only has to deal with one
encryption layer, not two encryption layers.


With the encryption on top of the mirror: if one physical device fails,
the cyphertext on the other physical drive will still exist and the
virtual device will still provide plaintext. When the failed drive is
replaced, it will be resilvered using the cyphertext from the good
physical drive.


David
David Christensen
2016-06-01 19:47:44 UTC
Permalink
Post by David Christensen
I would think that you would want to encrypt one virtual device, rather
than two physical devices, so that the CPU only has to deal with one
encryption layer, not two encryption layers.
Make than four physical devices, not two.


David

Loading...