* [dm-crypt] btrfs @ 2010-10-27 12:54 M Thomas Frederiksen 2010-10-27 12:59 ` Christoph Anton Mitterer 2010-10-27 14:41 ` Heinz Diehl 0 siblings, 2 replies; 8+ messages in thread From: M Thomas Frederiksen @ 2010-10-27 12:54 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 302 bytes --] I've got 4 HDs, and would like encrypted btrfs. I'm considering installing Kubuntu 10.10. As btrfs doesn't support encryption yet, I'd have to use LUKS underneath. Is this likely to be a decent setup, or would I be well advised to wait for btrfs to support encryption natively? -- Cheers, ~Thomas [-- Attachment #2: Type: text/html, Size: 358 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] btrfs 2010-10-27 12:54 [dm-crypt] btrfs M Thomas Frederiksen @ 2010-10-27 12:59 ` Christoph Anton Mitterer 2010-10-27 14:10 ` Arno Wagner 2010-10-27 14:41 ` Heinz Diehl 1 sibling, 1 reply; 8+ messages in thread From: Christoph Anton Mitterer @ 2010-10-27 12:59 UTC (permalink / raw) To: M Thomas Frederiksen; +Cc: dm-crypt [-- Attachment #1: Type: text/plain, Size: 703 bytes --] On Wed, 2010-10-27 at 08:54 -0400, M Thomas Frederiksen wrote: > I've got 4 HDs, and would like encrypted btrfs. I'm considering > installing Kubuntu 10.10. As btrfs doesn't support encryption yet, > I'd have to use LUKS underneath. Is this likely to be a decent setup, > or would I be well advised to wait for btrfs to support encryption > natively? In principle it's a good idea to use dmcrypt/LUKS IMHO (not sure whether I like the idea to put encryption directly in the fs),... nevertheless, there once used to be (IIRC) a note in the btrfs wiki, that it was for some reason insecure/buggy/whatever to be used with dm-crypt... So perhaps better ask them too. Cheers, Chris. [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 3387 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] btrfs 2010-10-27 12:59 ` Christoph Anton Mitterer @ 2010-10-27 14:10 ` Arno Wagner 2010-10-27 14:15 ` Christoph Anton Mitterer 2010-10-27 23:19 ` Paul Dugas 0 siblings, 2 replies; 8+ messages in thread From: Arno Wagner @ 2010-10-27 14:10 UTC (permalink / raw) To: dm-crypt On Wed, Oct 27, 2010 at 02:59:17PM +0200, Christoph Anton Mitterer wrote: > On Wed, 2010-10-27 at 08:54 -0400, M Thomas Frederiksen wrote: > > I've got 4 HDs, and would like encrypted btrfs. I'm considering > > installing Kubuntu 10.10. As btrfs doesn't support encryption yet, > > I'd have to use LUKS underneath. Is this likely to be a decent setup, > > or would I be well advised to wait for btrfs to support encryption > > natively? > > In principle it's a good idea to use dmcrypt/LUKS IMHO (not sure whether > I like the idea to put encryption directly in the fs),... nevertheless, > there once used to be (IIRC) a note in the btrfs wiki, that it was for > some reason insecure/buggy/whatever to be used with dm-crypt... > > So perhaps better ask them too. > > > Cheers, > Chris. Currently there are kernel issues with write synchronisation. These may affect a combination of any filesystem with LUKS/dm-crypt more strongly than the filesystem alone. Fortunately (after a very long time ignoring it) the kernel developpers have started to do something about this issue. It is basically the same thing you get when writing a very large file to disk and everything starts to crawl. Or a smaller file to a slow device and dm-crypted/LUKSed devices are slower. 2.6.36 is already a lot more responsive under these circumstances, at least for the large file situation. 2.6.37 is expected to improve the situation further. There is no reason why there should be any security issues, btrfs cannot break LUKS/dm-crypt security. It may be buggy, but btrfs is still new and likely buggy itself. I would not trust if for at least another year. If you can reliably detect corruption and have good backups, just try it. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] btrfs 2010-10-27 14:10 ` Arno Wagner @ 2010-10-27 14:15 ` Christoph Anton Mitterer 2010-10-27 14:18 ` Arno Wagner 2010-10-27 23:19 ` Paul Dugas 1 sibling, 1 reply; 8+ messages in thread From: Christoph Anton Mitterer @ 2010-10-27 14:15 UTC (permalink / raw) To: Arno Wagner; +Cc: dm-crypt [-- Attachment #1: Type: text/plain, Size: 304 bytes --] On Wed, 2010-10-27 at 16:10 +0200, Arno Wagner wrote: > There is no reason why there should be any security issues, btrfs > cannot break LUKS/dm-crypt security. I meant "data security" ... but just referring to that via security is probably very ambiguous on a list like this ;) Cheers, Chris. [-- Attachment #2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 3387 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] btrfs 2010-10-27 14:15 ` Christoph Anton Mitterer @ 2010-10-27 14:18 ` Arno Wagner 0 siblings, 0 replies; 8+ messages in thread From: Arno Wagner @ 2010-10-27 14:18 UTC (permalink / raw) To: dm-crypt On Wed, Oct 27, 2010 at 04:15:01PM +0200, Christoph Anton Mitterer wrote: > On Wed, 2010-10-27 at 16:10 +0200, Arno Wagner wrote: > > There is no reason why there should be any security issues, btrfs > > cannot break LUKS/dm-crypt security. > I meant "data security" ... but just referring to that via security is > probably very ambiguous on a list like this ;) > > Cheers, > Chris. The word you are looking for is "reliability" or "safety"... ;-) Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] btrfs 2010-10-27 14:10 ` Arno Wagner 2010-10-27 14:15 ` Christoph Anton Mitterer @ 2010-10-27 23:19 ` Paul Dugas 1 sibling, 0 replies; 8+ messages in thread From: Paul Dugas @ 2010-10-27 23:19 UTC (permalink / raw) To: dm-crypt On Wed, Oct 27, 2010 at 10:10 AM, Arno Wagner <arno@wagner.name> wrote: > Currently there are kernel issues with write synchronisation. > These may affect a combination of any filesystem with LUKS/dm-crypt > more strongly than the filesystem alone. Fortunately (after a very > long time ignoring it) the kernel developpers have started to do > something about this issue. It is basically the same thing you get > when writing a very large file to disk and everything starts to > crawl. Or a smaller file to a slow device and dm-crypted/LUKSed > devices are slower. > > 2.6.36 is already a lot more responsive under these circumstances, > at least for the large file situation. > 2.6.37 is expected to improve the situation further. Where can I learn more about the specifics and implications of these issues? I posted a few weeks ago about some performance issues that sound a lot like the symptoms you describe. I've got an LUKS device on a 2TB Ethernet SAN drive (ATA over Ethernet) that is painfully slow when initializing and mkfs'ing; last try took 4+ days after a couple crashes due to what appear to be an out-of-memory condition in the kernel somewhere. Once it finished, I tried copying a 1TB file to it and that too ran for days before it mysteriously stalled after about 300GB. Paul -- Paul Dugas • Dugas Enterprises, LLC • Computer Engineer Paul@DugasEnterprises.com • +1.404.932.1355 ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] btrfs 2010-10-27 12:54 [dm-crypt] btrfs M Thomas Frederiksen 2010-10-27 12:59 ` Christoph Anton Mitterer @ 2010-10-27 14:41 ` Heinz Diehl 2010-10-27 15:14 ` [dm-crypt] btrfs with raid5/6 Markus Krainz 1 sibling, 1 reply; 8+ messages in thread From: Heinz Diehl @ 2010-10-27 14:41 UTC (permalink / raw) To: dm-crypt On 27.10.2010, M Thomas Frederiksen wrote: > Is this likely to be a decent setup, or would I be well > advised to wait for btrfs to support encryption natively? It's up to you. I'd prefer LUKS/dmcrypt. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [dm-crypt] btrfs with raid5/6 2010-10-27 14:41 ` Heinz Diehl @ 2010-10-27 15:14 ` Markus Krainz 0 siblings, 0 replies; 8+ messages in thread From: Markus Krainz @ 2010-10-27 15:14 UTC (permalink / raw) To: dm-crypt > It's up to you. I'd prefer LUKS/dmcrypt. So do I. But I have a related concern: I currently do ext4 <-> dm-crypt <-> linux-software-raid <-> hdds However Linux Software Raid (mdadm) does not protect you from silent data loss, because it does not store checksums in it's metadata. So what mdadm does is, it compensates for failed devices, or blocks, if the device reports them as bad. But I can NOT correct data, that was e.g. corrupted by the SATA controller or backplane. See http://neil.brown.name/blog/20100211050355 "Smart or simple RAID recovery??" for more information. Btrfs (like ZFS) can be the solution here, as it stores CRC checksums with all data and metadata. RAID5 with protection from silent data loss is promised to be implemented in the future. A setup on top of dm-crypt would look as follows: btrfs <-> multiple dm-crypt partitions <-> multiple devices However in the past I experienced very disappointing results, if raid is running on top of dm-crypt partitions. If I remove hdds from such a setup the dm-crypt partition wont disappear. It won't propagate the error to the software raid on top of it (not familiar with the implementation details, maybe mdadm is to blame here). And finally it won't even let itself be deleted without restart (I think the last issue has been fixed in the meantime). I urge the dm-crypt developers to improve this situation with raid on top of dm-crypt, be it with mdadm or btrfs. Solutions for other long-time annoying issues like insufficient threading support, and the lack of discard support, would be appreciated too. :P I know the OSS pradigm is provide patches yourself. Would you be accepting patches? Sincerly, Markus ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-10-27 23:19 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-10-27 12:54 [dm-crypt] btrfs M Thomas Frederiksen 2010-10-27 12:59 ` Christoph Anton Mitterer 2010-10-27 14:10 ` Arno Wagner 2010-10-27 14:15 ` Christoph Anton Mitterer 2010-10-27 14:18 ` Arno Wagner 2010-10-27 23:19 ` Paul Dugas 2010-10-27 14:41 ` Heinz Diehl 2010-10-27 15:14 ` [dm-crypt] btrfs with raid5/6 Markus Krainz
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox