# new to geli (tags: gournal + gmirror + zfs)



## silkie (Dec 2, 2009)

Fellas!

I have a disk that has a new install of 8 on it. Currently unencrypted. I'm reading about geli for the first time and considering how I would enable geli on a volume with data already on it. 

The handbook talks about creating a new encypted volumes from new slices. My system sits on a disk with a swap and a single slice on it and I want to encypt the lot. How would I go about doing this for the / slice with the data already there? does the geli init command encrypt the current contents before presenting the new .eli device or should I expect a blank volume?

Also the plan is to gjounal the root fs slice (160gb), geli both the root fs slice and swap and finally gmirror it. Then I have 8 other disks I plan to pop into RAIDZ and encypt with this guide: -
http://blog.experimentalworks.net/2008/03/setting-up-an-encrypted-zfs-with-freebsd/

Any words of warning here!? There is alot of encyption / block level data manipulation going on here. should I be worried about the overhead on a core2 2.3 quad? 

Finally, Would I have to enter a passphrase for each encrypted volume I mount on boot? I could have upto 4 devices being mounted on boot when my backup disks are added to the system, 4 passwords and the os login is going to get annoying, I guess it's just the price you pay for security.

Thanks for any help, guidance, advice!!!!!


----------



## graudeejs (Dec 2, 2009)

I'd suggest you read this:
http://forums.freebsd.org/showthread.php?t=185
geli(8) - you can use flash with keys... no need for password

I use geli + zfs.... If it's perfectly file for my Pentium4 @3HGz (I don't feel any difference), Your Core2 Will work even better

About Geli+gjournal.... hmmm i don't know... search forum, there was thread about this... I don't remember how it ended.


----------



## tcn (Dec 2, 2009)

Just a small warning about flash keys instead of passwords; flash keys go defect and having a bunch of copies is almost as safe as writing a password down.

  For my part, I boot on a flash that can easily be re-made, root is password encrypted but other disks are encrypted using keys hidden inside the encrypted root.

  The boot flash can be removed and system is very safe.


----------



## SirDice (Dec 2, 2009)

killasmurf86 said:
			
		

> you can use flash with keys... no need for password


Which more or less defeats the purpose of encryption. If someone steals your box they will take the flash too.


----------



## graudeejs (Dec 2, 2009)

You don't need to keep it plugged all the time...
Only plugin to boot, then plug out....


----------



## graudeejs (Dec 2, 2009)

gmirror+zfs????
can't zfs handle this better?


----------



## SirDice (Dec 2, 2009)

killasmurf86 said:
			
		

> You don't need to keep it plugges all the time...
> Only plugin to boot, then plug out....



Ah, ok.. But you better be sure to take it with you


----------



## DutchDaemon (Dec 2, 2009)

... or your key will be gone in a flash.

I know, I know.


----------

