"xenophon\\+freebsd" <xenophon+free...@irtnog.org> wrote: > I have posted revised instructions for installing FreeBSD to an > encrypted ZFS pool on my blog: > > https://web.irtnog.org/~xenophon/blog/revised-freebsd-root-zfs-geli > > The entire procedure is documented in a way suitable for scripting. I > would be very interested in the community's feedback.
It's not clear to me why you enable geli integrity verification. Given that it is single-sector-based it seems inferior to ZFS's integrity checks in every way and could actually prevent ZFS from properly detecting (and depending on the pool layout correcting) checksum errors itself. I'm also wondering if you actually benchmarked the difference between HMAC/MD5 and HMAC/SHA256. Unless the difference can be easily measured, I'd probably stick with the recommendation. I would also be interested in benchmarks that show that geli(8)'s recommendation to increase geli's block size to 4096 bytes makes sense for ZFS. Is anyone aware of any? Fabian
signature.asc
Description: PGP signature
