Skip to content

Encrypting an existing raidz2

So, I decided to give this a try.. and this time in english. This is likely for a broader audience.

Having 8x 2TB drives in a raidz2, I was under the impression that this would force me to migrate the data first before I could  destroy and rebuild the whole pool using encrypted drive ”aliases” instead.

After more research inside a virtual machine with positive results I decided to do it for real.

So I present to you: ”FreeBSD – Encrypting an existing raidz2″.

As the existing raidz2 exists of eight drives, there will be one considerable amount of typing in every reboot of the server (one passphrase for each encrypted drive). As my server is not rebooted that ofted, the benefits outweight this.

First I export my pool, henceforth known as ”tank”. This is to be able to destroy one of the disks without problem.

zpool export tank

The destructive command that make this happen is credited the dd command:

dd if=/dev/zero of=/dev/label/disk0 bs=1M

Note that I use the label alias of the drive. I do like this because I like the label names better, and these are also non-changing, should I have to switch the order of the drives etc.

Before we start encrypting anything we need to have a key that is used when scrambling the data in the encrpytion process. We create this key via this command:

dd if=/dev/urandom of=/boot/encryption.key bs=4096 count=1

This will create a 4096 bytes large file with our goo of ingredients when encrypting our files. We could do really well with 2048 aswell, but what the heck, why not..

Now we get onto the first disk that will receive geli treatment:

geli init -b -B /boot/disk0.eli -e AES-XTS -K /boot/encryption.key -l 256 -s 4096 /dev/label/disk0

Enter your passphrase twice. And please, use a secure passphrase. Not what you have on facebook etc. This should be safe, not NSA-aware ;)

After this is done, we mount it so that we can use the disk through encryption:

geli attach -k /boot/encryption.key label/disk0

And enter the passphrase. Now you will have an alias you should use in the zpool (label/disk0.eli).
Sweet, now let us attach this prepared drive to our pool:

zpool import tank

If we check the pool now, it will report disk0 as unavailable:

zpool status tank

So, we replace the unavailable drive with the new one:

zpool replace tank label/disk0 label/disk0.eli

Let it resilver, or watch it:

zpool status tank

When done, the disk0 will be replaced with the eli-dito.
That was one drive.. seven more to go.
Repeat until done.
Now we just need to adjust the system to load our keyfile and setup geli when booting up.
Edit the /boot/loader.conf file and add these settings into it, or adjust accordingly.

aesni_load="YES"
geom_label_load="YES"
geom_eli_load="YES"

## Disk 0
geli_label_disk0_keyfile0_load=YES”
geli_label_disk0_keyfile0_type=”label/disk0:geli_keyfile0″
geli_label_disk0_keyfile0_name=”/boot/encryption.key”

## Disk 1
geli_label_disk1_keyfile0_load=”YES”
geli_label_disk1_keyfile0_type=”label/disk1:geli_keyfile0″
geli_label_disk1_keyfile0_name=”/boot/encryption.key”

## Disk 2
geli_label_disk2_keyfile0_load=”YES”
geli_label_disk2_keyfile0_type=”label/disk2:geli_keyfile0″
geli_label_disk2_keyfile0_name=”/boot/encryption.key”

## Disk 3
geli_label_disk3_keyfile0_load=”YES”
geli_label_disk3_keyfile0_type=”label/disk3:geli_keyfile0″
geli_label_disk3_keyfile0_name=”/boot/encryption.key”

## Disk 4
geli_label_disk4_keyfile0_load=”YES”
geli_label_disk4_keyfile0_type=”label/disk4:geli_keyfile0″
geli_label_disk4_keyfile0_name=”/boot/encryption.key”

## Disk 5
geli_label_disk5_keyfile0_load=”YES”
geli_label_disk5_keyfile0_type=”label/disk5:geli_keyfile0″
geli_label_disk5_keyfile0_name=”/boot/encryption.key”

## Disk 6
geli_label_disk6_keyfile0_load=”YES”
geli_label_disk6_keyfile0_type=”label/disk6:geli_keyfile0″
geli_label_disk6_keyfile0_name=”/boot/encryption.key”

## Disk 7
geli_label_disk7_keyfile0_load=”YES”
geli_label_disk7_keyfile0_type=”label/disk7:geli_keyfile0″
geli_label_disk7_keyfile0_name=”/boot/encryption.key”

Reboot and type the passphrase.. and again.. and again… etc.

Enjoy encrypted zpool under FreeBSD!

When you have the need to quickly ”pull the plug”, export the pool, and detach your encrypted drives (script candidate!):

zpool export tank
geli detach label/disk{0..7}.eli

These can be put into a one-liner:

zpool export tank && geli detach label/disk{0..7}.eli

The {0..7} is a shorthand command to include all drives, 0 through 7.
Just for convenience.

There you have it. Hope you enjoyed the guide!
Feel free to comment or ask me to add additional information.

4 Comments Post a comment
  1. Haye i para el main por primera vez aquí. Me encontré
    con un haber encontrado este foro y me encuentro a verdaderamente útil útil y que me ayudó mucho mucho.
    Espero oferta algo es una cosa atrás y Ayuda Ayuda otros como usted me ayudaron.
    Soy un lector habitual visitante, como todos ustedes?

    Este artículo publicado en este sitio es фактически agradable.

    oktober 6, 2015
  2. Undeniably believe that which you stated. Your
    favorite reason seemed to be on the net the easiest thing to be aware of.
    I say to you, I certainly get irked while people consider
    worries that they just do not know about. You managed
    to hit the nail upon the top and defined out the whole thing without having side
    effect , people could take a signal. Will likely
    be back to get more. Thanks

    mars 8, 2016
  3. I had to leave my inhaler with the secretary we had a nurse only certain days of the week even though from my furthest classes to her office was a quarter-mile and I wouldn’t be able to do that if I was having an Ended up sneaking my other one in my backpack because like hell was I going to leave my one and only inhaler with a nurse five minutes

    september 9, 2016
  4. Hello, i see that your website loads very slow, it took around
    7sec. to load this post. Do you know that page speed
    is major ranking factor for google now? If you speed up your
    site loading time you can rank higher and get more targeted
    traffic. There is simple method for faster loading,
    search for: Masitsu’s tricks

    november 28, 2016

Leave a Reply

You may use basic HTML in your comments. Your email address will not be published.

Subscribe to this comment feed via RSS