Striped mirror raid10

[David Christensen]

On 06/01/2016 10:57 AM, Brandon J. Wandersee wrote:
>
> Bernt Hansson writes:
>
>> Hello list!
>>
>> I have set up a striped mirror;
>>
>> root at testbox:~ # gmirror status
>>              Name    Status  Components
>> mirror/gmirror0  COMPLETE  ada0 (ACTIVE)
>>                              ada1 (ACTIVE)
>> mirror/gmirror1  COMPLETE  ada2 (ACTIVE)
>>                              ada3 (ACTIVE)
>> root at testbox:~ # gstripe status
>>             Name  Status  Components
>> stripe/stripe0      UP  mirror/gmirror0
>>                           mirror/gmirror1
>>
>> /dev/stripe/stripe0           1.8T    4.0K    1.8T     0% /raid10
>>
>> Now I want to encrypt it, but is that wise? I mean you can remove a
>> disk from the mirror, won't that break the encryption? And the
>> mirror/stripe.
>
> Encrypt the disks/partitions themselves, not the stripe or mirror. You
> can then create mirrors of the resulting *.eli device nodes, then create
> a stripe from the mirrors. You can unlock the disks/partitions at boot
> thus:
>
> 1) First, run `geli configure -b <disk/partition>` on each encrypted
>     disk/partition, so you will be prompted for the passphrase for each
>     encrypted partition during boot.
> 2) Next, add the line 'geom_eli_passphrase_prompt=YES' to the file
>     /boot/loader.conf. This will add a passphrase prompt the boot menu,
>     allowing you to enter the passphrase for the disks one time only,
>     before the boot process begins.

I would think that you would want to encrypt one virtual device, rather 
than two physical devices, so that the CPU only has to deal with one 
encryption layer, not two encryption layers.


With the encryption on top of the mirror: if one physical device fails, 
the cyphertext on the other physical drive will still exist and the 
virtual device will still provide plaintext.  When the failed drive is 
replaced, it will be resilvered using the cyphertext from the good 
physical drive.


David