AES-XTS 256

Status
Not open for further replies.
K

Kljajoni

Cadet
Joined
Apr 20, 2015
Messages
7
Hi,

can someone guide me how to create encrypted volume with AES-XTS 256 encryption algorithm ? By default, FreeNAS is using AES-XTS 128 for data when you create volume from GUI, for some compliance reasons I need to change it to AES-XTS 256.

I am trying to test this on VMWare virtual machine (1 x 16Gb disk for install and swap, 5 x 5 GB disks for data RAIDZ2). I tried to use similar workaround in FreeNAS 9.3 , but I am not sure what I achieved. Unfortunately, I do not understand GEOM geli encryption behind the scene, so can someone in short can explain to me

1) What gtpid represents ?
2) What ada represents ? Is it possible to change this encryption to AES-XTS 256 ?
3) How are they related ?



Code:

geli status

										  Name  Status  Components
gptid/6150cb18-bac2-11e6-a033-000c290b314c.eli  ACTIVE  gptid/6150cb18-bac2-11e6-a033-000c290b314c
gptid/616f2340-bac2-11e6-a033-000c290b314c.eli  ACTIVE  gptid/616f2340-bac2-11e6-a033-000c290b314c
gptid/618c0d0d-bac2-11e6-a033-000c290b314c.eli  ACTIVE  gptid/618c0d0d-bac2-11e6-a033-000c290b314c
gptid/61a8c021-bac2-11e6-a033-000c290b314c.eli  ACTIVE  gptid/61a8c021-bac2-11e6-a033-000c290b314c
gptid/61c5d7e8-bac2-11e6-a033-000c290b314c.eli  ACTIVE  gptid/61c5d7e8-bac2-11e6-a033-000c290b314c
									ada0p1.eli  ACTIVE  ada0p1
									ada1p1.eli  ACTIVE  ada1p1
									ada2p1.eli  ACTIVE  ada2p1
									ada3p1.eli  ACTIVE  ada3p1
									ada4p1.eli  ACTIVE  ada4p1


Code:

geli list


Geom name: gptid/6150cb18-bac2-11e6-a033-000c290b314c.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: NONE
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gptid/6150cb18-bac2-11e6-a033-000c290b314c.eli
   Mediasize: 3221135360 (3.0G)
   Sectorsize: 4096
   Mode: r1w1e1
Consumers:
1. Name: gptid/6150cb18-bac2-11e6-a033-000c290b314c
   Mediasize: 3221139456 (3.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 2147549184
   Mode: r1w1e1

Geom name: gptid/616f2340-bac2-11e6-a033-000c290b314c.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: NONE
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gptid/616f2340-bac2-11e6-a033-000c290b314c.eli
   Mediasize: 3221135360 (3.0G)
   Sectorsize: 4096
   Mode: r1w1e1
Consumers:
1. Name: gptid/616f2340-bac2-11e6-a033-000c290b314c
   Mediasize: 3221139456 (3.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 2147549184
   Mode: r1w1e1

Geom name: gptid/618c0d0d-bac2-11e6-a033-000c290b314c.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: NONE
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gptid/618c0d0d-bac2-11e6-a033-000c290b314c.eli
   Mediasize: 3221135360 (3.0G)
   Sectorsize: 4096
   Mode: r1w1e1
Consumers:
1. Name: gptid/618c0d0d-bac2-11e6-a033-000c290b314c
   Mediasize: 3221139456 (3.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 2147549184
   Mode: r1w1e1

Geom name: gptid/61a8c021-bac2-11e6-a033-000c290b314c.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: NONE
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gptid/61a8c021-bac2-11e6-a033-000c290b314c.eli
   Mediasize: 3221135360 (3.0G)
   Sectorsize: 4096
   Mode: r1w1e1
Consumers:
1. Name: gptid/61a8c021-bac2-11e6-a033-000c290b314c
   Mediasize: 3221139456 (3.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 2147549184
   Mode: r1w1e1

Geom name: gptid/61c5d7e8-bac2-11e6-a033-000c290b314c.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: NONE
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: gptid/61c5d7e8-bac2-11e6-a033-000c290b314c.eli
   Mediasize: 3221135360 (3.0G)
   Sectorsize: 4096
   Mode: r1w1e1
Consumers:
1. Name: gptid/61c5d7e8-bac2-11e6-a033-000c290b314c
   Mediasize: 3221139456 (3.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 2147549184
   Mode: r1w1e1

Geom name: ada0p1.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: hardware
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: ada0p1.eli
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 4096
   Mode: r1w1e0
Consumers:
1. Name: ada0p1
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 65536
   Mode: r1w1e1

Geom name: ada1p1.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: hardware
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: ada1p1.eli
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 4096
   Mode: r1w1e0
Consumers:
1. Name: ada1p1
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 65536
   Mode: r1w1e1

Geom name: ada2p1.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: hardware
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: ada2p1.eli
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 4096
   Mode: r1w1e0
Consumers:
1. Name: ada2p1
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 65536
   Mode: r1w1e1

Geom name: ada3p1.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: hardware
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: ada3p1.eli
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 4096
   Mode: r1w1e0
Consumers:
1. Name: ada3p1
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 65536
   Mode: r1w1e1

Geom name: ada4p1.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: hardware
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: ada4p1.eli
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 4096
   Mode: r1w1e0
Consumers:
1. Name: ada4p1
   Mediasize: 2147483648 (2.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 65536
   Mode: r1w1e1
 
D

dlavigne

Guest
You can't change the encryption algorithm without destroying the pool.

While you could manually configure this, it would be unsupported and would require you to be comfortable with the contents of geli(8). Bug again, it would be unsupported and you'd be on your own which would really suck if the encrypted contents became unavailable.

You could try creating a feature request to have either the default algorithm bumped up to AES-XTS 256 or to have that algorithm added as a selectable option. If you decide to create a feature request at bugs.freenas.org, post the issue number here.
 
Status
Not open for further replies.

Similar threads

C
  • Locked
migrated to new usb boot devices and now swap won't mount
Replies
4
Views
1K
colmconn
C
S
  • Locked
FAULTED Drive to many errors: But Drive Tests Good?
Replies
3
Views
2K
cyberjock
C
R
SOLVED importing encrypted pool
Replies
1
Views
893
reks
R
Lage
  • Locked
Disk UNAVAIL after GPT recovery; cannot import pool
Replies
12
Views
3K
Lage
Lage
d-rock
  • Locked
Lost pool after USB boot drive failed
Replies
10
Views
2K
sfcredfox
sfcredfox
Top