Episode Details

Back to Episodes
Episode 251: Crypto HAMMER | BSD Now 251

Episode 251: Crypto HAMMER | BSD Now 251

Published 7 years, 9 months ago
Description

DragonflyBSD’s hammer1 encrypted master/slave setup, second part of our BSDCan recap, NomadBSD 1.1-RC1 available, OpenBSD adds an LDAP client to base, FreeBSD gets pNFS support, Intel FPU Speculation Vulnerability confirmed, and what some Unix command names mean.

##Headlines
###DragonflyBSD: Towards a HAMMER1 master/slave encrypted setup with LUKS

I just wanted to share my experience with setting up DragonFly master/slave HAMMER1 PFS’s on top of LUKS
So after a long time using an Synology for my NFS needs, I decided it was time to rethink my setup a little since I had several issues with it :

  • You cannot run NFS on top of encrypted partitions easily
  • I suspect I am having some some data corruption (bitrot) on the ext4 filesystem
  • the NIC was stcuk to 100 Mbps instead of 1 Gbps even after swapping cables, switches, you name it
  • It’s proprietary

I have been playing with DragonFly in the past and knew about HAMMER, now I just had the perfect excuse to actually use it in production :) After setting up the OS, creating the LUKS partition and HAMMER FS was easy :

kdload dm
cryptsetup luksFormat /dev/serno/
cryptsetup luksOpen /dev/serno/ fort_knox
newfs_hammer -L hammer1_secure_master /dev/mapper/fort_knox
cryptsetup luksFormat /dev/serno/
cryptsetup luksOpen /dev/serno/ fort_knox_slave
newfs_hammer -L hammer1_secure_slave /dev/mapper/fort_knox_slave

  • Mount the 2 drives :

mount /dev/mapper/fort_knox /fort_knox
mount /dev/mapper_fort_know_slave /fort_knox_slave

You can now put your data under /fort_knox
Now, off to setting up the replication, first get the shared-uuid of /fort_knox

hammer pfs-status /fort_knox

Create a PFS slave “linked” to the master

hammer pfs-slave /fort_knox_slave/pfs/slave shared-uuid=f9e7cc0d-eb59-10e3-a5b5-01e6e7cefc12

And then stream your data to the slave PFS !

hammer mirror-stream /fort_knox /fort_knox_slave/pfs/slave

After that, setting NFS is fairly trivial even though I had problem with the /etc/exports syntax which is different than Linux

There’s a few things I wish would be better though but nothing too problematic or without workarounds :

  • Cannot unlock LUKS partitions at boot time afaik (Acceptable tradeoff for the added security LUKS gives me vs my old Synology setup) but this force me to run a script to unlock LUKS, mount hammer and start mirror-stream at each boot
  • No S1/S3 sleep so I made a script to shutdown the system when there’s no network neighborgs to serve the NFS
  • As my system isn’t online 24/7 for energy reasons, I guess will have to run hammer cleanup myself from time to time
  • Some uncertainty because hey, it’s kind of exotic but exciting too :)

Overall, I am happy, HAMMER1 and PFS are looking really good, DragonFly is a neat Unix and the community is super friendly (Matthew Dillon actually provided me with a kernel patch to fix the broken ACPI on the PC holding this setup, many thanks!), the system is still a “work in progress” but it is already serving my files as I write this post.

Let’s see in 6 months how it goes in the longer run !

Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

 Support Us