Solved GPT label and geli

[trumee]

I want to use GPT label along with geli(8). Came across this https://forums.freebsd.org/threads/labelling-geli-disk-with-zfs.44250/#post-246683
This doesn’t seem right. The user first create a partition using # gpart add which should result in da2p1. But instead of using/encrypting it, he straightway uses the whole drive in da2 in the pool.

Will this not corrupt the partition?

 

[asteriskRoss]

Hi trumee. I can't see the issue you describe in that post.

I created a new encrypted ZFS pool and I used labels with the GPT disk. I ran the following:

gpart create -s gpt da2
gpart add -t freebsd-zfs -a 4k -b 1M -l zstore da2
geli init -b -B /boot/zstore.eli -e AES-XTS -K /boot/encryption.key -l 256 -s 4096 /dev/gpt/zstore
geli attach -k /boot/encryption.key /dev/gpt/zstore
zpool create zstore /dev/gpt/zstore.eli

The first line creates a GPT paritioning scheme. The second line adds a partition of type freebsd-zfs (note this will actually later be formatted as a GELI container) with the GPT partition label zstore, 4Kb sector alignment beginning 1MB into the disk. The third line creates a GELI container on the newly created /dev/gpt/zstore partition (note this is also /dev/da2p1), setting the boot flag, backing up the GELI metadata to /boot/zstore.eli, explicitly specifying the AES-XTS algorithm with 256 bit key length with a sector size of 4096 bytes (4Kb), using a key /boot/encryption.key in addition to a password. The fourth line attaches the GELI container using the key (a password would also be entered). The fifth and final line creates a new ZFS pool, zstore, on the newly attached GELI container, dev/gpt/zstore.eli.

Regarding xy16644's issue in Thread labelling-geli-disk-with-zfs.44250, I have experienced the same problem with FreeBSD 9.2 and haven't tried with more recent versions. I believe when GELI containers are attached before the root filesytem is mounted (configured in /boot/loader.conf), all devices are searched for GELI containers with the boot flag. Containers are found first by their device identifer (such as ada99p3) before they are found by their GPT partition label (such as gpt/mylabel). A configuration change cannot change this behaviour; a code change would be required. If a keyfile is configured to reference the partition label but not the device identifier, the key will never be correct for the attempted attachment of the container by device identifier.

When GELI containers are attached after the root filesytem is mounted (configured in /etc/rc.conf) it is perfectly possible to attach them using the GPT partition label without issue since the container is specified rather than searched for.

Did you have another question? What are you trying to achieve?

 

[trumee]

Hi asteriskRoss,

Thanks for explaining quite clearly what these commands were doing. I was not sure whether the '-l zstore' was for the da2 or da2p1. But now it clear. Thanks!