GELI suspend/resume fails on non-rootfs partition β¦
<https://www.reddit.com/r/freebsd/comments/1pr7l2k/geli_suspendresume_fails_on_nonrootfs_partition/> | <https://forums.freebsd.org/threads/geli-suspend-resume-fails-on-non-rootfs-partition-destroys-data.100860/>
β intriguing
β help, please (in either Reddit, or the Forums, if you can).
@cdrmack It's #GELI for me. If your threat scenario is physical hardware access by unauthorized persons (like e.g. a stolen laptop), you want to leak as little information as possible. With GELI, all you need is some #ESP (#EFI partition) with #FreeBSD's loader(8) installed, it supports booting from GELI.
If, on the other hand, your threat scenario is unauthorized access to some data by someone who *is* authorized to access the machine in general, just not that specific data, per-dataset encryption as offered by #ZFS is the better match. A concrete scenario could be a machine used by multiple users that don't necessarily trust each other. That way, some datasets can remain "locked" while the machine is up and running, but of course you'll always expose pool metadata (like, which datasets, snapshots etc exist at all).
You might combine both approaches if you *really* need to. π
Just ran into a good reason to use labels for your geli partitions. Years ago, when I replaced a drive, I did a geli init on it, and it was ada11 at the time. After a while I moved it's location so it became another ada. But the issue is that the old geli backup still has the name ada11 despite that device not existing. It also now means that I don't know what drive ada11 corresponds to if I do need to use it for a restore.
@nixCraft nearly all suitably encrypted. No FDE.
OpenZFS encryption for:
* the sensitive part of a mobile hard disk drive
* three low-spec USB memory sticks that add around 145 GiB persistent removable L2ARC to a circa 2014 HP ZBook with 32 G memory and a ~1 TB internal HDD.
GELI for 16 G swap.
GELI for 915 G /
tmpfs for /tmp/
<https://github.com/openzfs/zfs/issues/10256>
γβ¦ blocks in the L2ARC have the exact same on-disk representation as they do in the main pool. β¦γ
geli(8) <https://man.freebsd.org/cgi/man.cgi?query=geli&sektion=8&manpath=freebsd-release> β automatically configured when FreeBSD was installed.
tmpfs(4) <https://man.freebsd.org/cgi/man.cgi?query=tmpfs&sektion=4&manpath=freebsd-current> (FreeBSD 15.0-CURRENT)
#FreeBSD #L2ARC #ZFS #OpenZFS #encryption #USB #memorystick #flash #flashdrive #mobile #GELI
System information Type Version/Name ZFS Version git master 47c9299 Describe the problem you're observing Searching the web and forums there seem to only be conflicting opinions on whether the L2AR...
Graham Perrin
R.L. Dane 
π΅ 
Felix Palmen 
cdrmack
TomAoki
John-Mark Gurney
Justine Smithiespoweroff command I'd say #Linux wins but not by much, though I am using #Geli for encryption on my FreeBSD laptop which maybe slows it a little ? The rest of the speeds for general use it's hard to tell so far and as for resilience I've had no issues as yet and the same could be said for my #HomeLab too.