1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

GELI error when using Software and Hardware Encryption

Discussion in 'General' started by overmind, Oct 6, 2011.

  1. overmind

    overmind Member

    Messages:
    332
    Thanks Received:
    29
    I have a partition encrypted with geli on a VIA hardware with hardware encryption enabled using padlock. The partition attaches and mounts ok. The problem is that VIA hardware only supports AES-CBC 128 which is attached to geli as hardware encryption. When I add an USB hard drive with an AES-XTS encryption (which is default when using geli init) the system attaches the partition but I cannot see it in /dev as .eli partition.

    So it seems when mixing hardware and software attached geli devices, geli is not working properly. Did anybody get same error as me? In fact I get no error on console or in logs, it's just not working.

    Code:
    # geli list
    Geom name: da0s1g.eli
    State: ACTIVE
    EncryptionAlgorithm: AES-CBC
    KeyLength: 128
    Crypto: hardware
    UsedKey: 0
    Flags: NONE
    Providers:
    1. Name: da0s1g.eli
       Mediasize: 251255582720 (234G)
       Sectorsize: 4096
       Mode: r1w1e1
    Consumers:
    1. Name: da0s1g
       Mediasize: 251255586816 (234G)
       Sectorsize: 512
       Mode: r1w1e1
    
    Geom name: da1s1g.eli
    State: ACTIVE
    EncryptionAlgorithm: AES-XTS
    KeyLength: 128
    Crypto: software
    UsedKey: 0
    Flags: READ-ONLY
    Providers:
    1. Name: da1s1g.eli
       Mediasize: 85983231488 (80G)
       Sectorsize: 512
       Mode: r0w0e0
    Consumers:
    1. Name: da1s1g
       Mediasize: 85983232000 (80G)
       Sectorsize: 512
       Mode: r1w0e1
    


    And in /var/dev:
    Code:
    # ls /dev/da*eli
    /dev/da0s1g.eli
    


    Where is /dev/da1s1g.eli ?

    Here more info:
    Code:
    # kldstat
    Id Refs Address    Size     Name
     1   11 0xc0400000 bd97b4   kernel
     2    1 0xc0fda000 8a80     geom_label.ko
     3    1 0xc2cde000 12000    geom_eli.ko
     4    2 0xc2d01000 23000    crypto.ko
     5    1 0xc2d27000 a000     zlib.ko
     6    1 0xc3536000 4000     padlock.ko
    


    and:

    Code:
    # dmesg|grep padlock
    padlock0: <AES-CBC,SHA1,SHA256> on motherboard
    


    and info from console (from when I've attached the geli device:
    Code:
    GEOM_ELI: Device da0s1g.eli created.
    GEOM_ELI: Encryption: AES-CBC 128
    GEOM_ELI:     Crypto: hardware
    GEOM_ELI: Device da1s1g.eli created.
    GEOM_ELI: Encryption: AES-XTS 128
    GEOM_ELI:     Crypto: software
    


    Code:
    uname -a
    FreeBSD www.example.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0:Mon Oct  
    3 13:57:53 EEST 2011 admin@www.example.com:/usr/obj/usr/src/sys/MACHINE  i386
    


    Also I have to mention that when attaching second device (the one that is software) it takes a little longer than for the hardware one, and longer from time when I only use software.
     
  2. graudeejs

    graudeejs Well-Known Member

    Messages:
    4,594
    Thanks Received:
    633
    did you try # geli attach ...?

    System won't attach USB automatically.
    Auto attachment only works at boot.
     
  3. overmind

    overmind Member

    Messages:
    332
    Thanks Received:
    29
    Yes, I've attached using geli attach command. And as you see /dev/da1s1g.eli appears in geli list but not on /dev (that is in fact the problem). So when crypto hardware is present, crypto software is not working properly?
     
  4. graudeejs

    graudeejs Well-Known Member

    Messages:
    4,594
    Thanks Received:
    633