From owner-freebsd-stable@FreeBSD.ORG Mon Jul 22 10:24:24 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 04C83713 for ; Mon, 22 Jul 2013 10:24:24 +0000 (UTC) (envelope-from se@freebsd.org) Received: from nm25-vm5.bullet.mail.ird.yahoo.com (nm25-vm5.bullet.mail.ird.yahoo.com [212.82.109.206]) by mx1.freebsd.org (Postfix) with SMTP id 2978821B0 for ; Mon, 22 Jul 2013 10:24:22 +0000 (UTC) Received: from [77.238.189.55] by nm25.bullet.mail.ird.yahoo.com with NNFMP; 22 Jul 2013 10:24:16 -0000 Received: from [46.228.39.95] by tm8.bullet.mail.ird.yahoo.com with NNFMP; 22 Jul 2013 10:24:16 -0000 Received: from [127.0.0.1] by smtp132.mail.ir2.yahoo.com with NNFMP; 22 Jul 2013 10:24:16 -0000 X-Yahoo-Newman-Id: 510309.67761.bm@smtp132.mail.ir2.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: SsYkqsIVM1kOgeTNsHe4vjTjkWSj5MLqfQQCnuqDpQeN6p4 XUQHOBiv0kQZF48.XCZc2aZlxtQGxRAi1fjVGzILsPXNvGnylTP5Nu1Re8oi svj20jNHKMJ8UKXE3vZ05qaFWTMr0f.rvyDJV1dnUXitMm.l9Cw_8NhH5MD6 Zrx7Au_FKVI0RF5RfDA9fDy3qZzYQxJtVb2JdBRRyxXXbg7jGkuPq1sl_S6I pVMBWfCOEgs.O4mHP.ciAwjnUqlZPeE95TWpYA6DyyQVMGFqHUW8NplxqONS RAwmo7ZWatnbOyIndjvZDdzzA8XORAWodghDGAb6EmQzR0_667MYAAbZG0E0 rh2R5ys06M5J1yApz8WmsqUn.hNTT_VGXKLltTVm0fL1x0qAOQg8FBe3gLaR 4ob8bmGMbq.aTyEkhgg0h3_vDdmz6aDO1RPZML7yn.i6vLKIhnoJKZ82I1Xs GCN4Hal2SUliwK4lqH8rp5rdoSTArYrk5skUWaOn.ApihWr8hNNaOWQ_4Vba CBrM- X-Yahoo-SMTP: iDf2N9.swBDAhYEh7VHfpgq0lnq. X-Rocket-Received: from [192.168.119.26] (se@84.149.244.111 with ) by smtp132.mail.ir2.yahoo.com with SMTP; 22 Jul 2013 10:24:16 +0000 UTC Message-ID: <51ED084D.1050308@freebsd.org> Date: Mon, 22 Jul 2013 12:24:13 +0200 From: Stefan Esser User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: "Eugene M. Zheganin" Subject: Re: zpool on a zvol inside zpool References: <51ECE783.8050207@norma.perm.ru> In-Reply-To: <51ECE783.8050207@norma.perm.ru> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-stable stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jul 2013 10:24:24 -0000 Am 22.07.2013 10:04, schrieb Eugene M. Zheganin: > Hi. > > I'm moving some of my geli installation to a new machine. On an old > machine it was running UFS. I use ZFS on a new machine, but I don't have > an encrypted main pool (and I don't want to), so I'm kinda considering a > way where I will make a zpool on a zvol encrypted by geli. Would it be > completely insane (should I use UFS instead ?) or would it be still > valid ? I have configured a system in just that way, a few weeks ago. It seems to work just fine. This is a workgroup server for a small company, which is meant to provide secure storage for documents. The system has a separate boot/root pool and a large pool for data (both as ZFS mirrors). On the data pool there is a ZVOL which is GELI encrypted to provide a "disk" for the encrypted ZFS that holds the documents. The system is running headless in some datacenter. It must boot multi-user and start a SSHD for remote entry of the passphrase, therefore solutions where a GELI key is on a USB key or entered via a console during boot were not possible. Performance is reasonable and far exceeds the 100Mbit/s Ethernet port ordered in the data-center, so I did not bother to measure throughput of this ZFS on GELI encrypted ZPOOL. For low load scenarios, this seems to be the easiest configuration. If you have hardware crypto or expect high load, then a ZFS mirror of GELI encrypted disks may show better performance, though. Regards, STefan