Fabian Keil writes: > In my opinion protecting ZFS's default checksums (which cover > non-metadata as well) with GEOM_ELI is sufficient. I don't see > what advantage additionally enabling GEOM_ELI's integrity > verification offers.
I follow you now. You may be right about the extra integrity checking being redundant with ZFS. > Anyway, it's a test without file system so the ZFS overhead isn't > measured. I wasn't entirely clear about it, but my assumption was > that the ZFS overhead might be big enough to make the difference > between HMAC/MD5 and HMAC/SHA256 a lot less significant. Got it. That also makes sense. I'll put this on my to-test list. > I'm currently using sector sizes between 512 and 8192 so I'm not > actually expecting technical problems, it's just not clear to me > how much the sector size matters and if 4096 is actually the best > value when using ZFS. The geli(8) manual page claims that larger sector sizes lower the overhead of GEOM_ELI keying initialization and encryption/decryption steps by requiring fewer of these compute-intensive setup operations per block. You can think of it in terms of networking, where it makes sense to re-use a TCP connection for multiple HTTP requests, because for small HTTP requests, the bandwidth and latency caused by the TCP three-way handshake overshadows the actual data transfer. -- I FIGHT FOR THE USERS
smime.p7s
Description: S/MIME cryptographic signature
