Encrypting an existing raidz2
So, I decided to give this a try.. and this time in english. This is likely for a broader audience.
Having 8x 2TB drives in a raidz2, I was under the impression that this would force me to migrate the data first before I could destroy and rebuild the whole pool using encrypted drive ”aliases” instead.
After more research inside a virtual machine with positive results I decided to do it for real.
So I present to you: ”FreeBSD – Encrypting an existing raidz2″.
As the existing raidz2 exists of eight drives, there will be one considerable amount of typing in every reboot of the server (one passphrase for each encrypted drive). As my server is not rebooted that ofted, the benefits outweight this.
First I export my pool, henceforth known as ”tank”. This is to be able to destroy one of the disks without problem.
zpool export tank
The destructive command that make this happen is credited the dd command:
dd if=/dev/zero of=/dev/label/disk0 bs=1M
Note that I use the label alias of the drive. I do like this because I like the label names better, and these are also non-changing, should I have to switch the order of the drives etc.
Before we start encrypting anything we need to have a key that is used when scrambling the data in the encrpytion process. We create this key via this command:
dd if=/dev/urandom of=/boot/encryption.key bs=4096 count=1
This will create a 4096 bytes large file with our goo of ingredients when encrypting our files. We could do really well with 2048 aswell, but what the heck, why not..
Now we get onto the first disk that will receive geli treatment:
geli init -b -B /boot/disk0.eli -e AES-XTS -K /boot/encryption.key -l 256 -s 4096 /dev/label/disk0
Enter your passphrase twice. And please, use a secure passphrase. Not what you have on facebook etc. This should be safe, not NSA-aware 
After this is done, we mount it so that we can use the disk through encryption:
geli attach -k /boot/encryption.key label/disk0
And enter the passphrase. Now you will have an alias you should use in the zpool (label/disk0.eli).
Sweet, now let us attach this prepared drive to our pool:
zpool import tank
If we check the pool now, it will report disk0 as unavailable:
zpool status tank
So, we replace the unavailable drive with the new one:
zpool replace tank label/disk0 label/disk0.eli
Let it resilver, or watch it:
zpool status tank
When done, the disk0 will be replaced with the eli-dito.
That was one drive.. seven more to go.
Repeat until done.
Now we just need to adjust the system to load our keyfile and setup geli when booting up.
Edit the /boot/loader.conf file and add these settings into it, or adjust accordingly.
aesni_load="YES"
geom_label_load="YES"
geom_eli_load="YES"
## Disk 0
geli_label_disk0_keyfile0_load=YES”
geli_label_disk0_keyfile0_type=”label/disk0:geli_keyfile0″
geli_label_disk0_keyfile0_name=”/boot/encryption.key”
## Disk 1
geli_label_disk1_keyfile0_load=”YES”
geli_label_disk1_keyfile0_type=”label/disk1:geli_keyfile0″
geli_label_disk1_keyfile0_name=”/boot/encryption.key”
## Disk 2
geli_label_disk2_keyfile0_load=”YES”
geli_label_disk2_keyfile0_type=”label/disk2:geli_keyfile0″
geli_label_disk2_keyfile0_name=”/boot/encryption.key”
## Disk 3
geli_label_disk3_keyfile0_load=”YES”
geli_label_disk3_keyfile0_type=”label/disk3:geli_keyfile0″
geli_label_disk3_keyfile0_name=”/boot/encryption.key”
## Disk 4
geli_label_disk4_keyfile0_load=”YES”
geli_label_disk4_keyfile0_type=”label/disk4:geli_keyfile0″
geli_label_disk4_keyfile0_name=”/boot/encryption.key”
## Disk 5
geli_label_disk5_keyfile0_load=”YES”
geli_label_disk5_keyfile0_type=”label/disk5:geli_keyfile0″
geli_label_disk5_keyfile0_name=”/boot/encryption.key”
## Disk 6
geli_label_disk6_keyfile0_load=”YES”
geli_label_disk6_keyfile0_type=”label/disk6:geli_keyfile0″
geli_label_disk6_keyfile0_name=”/boot/encryption.key”
## Disk 7
geli_label_disk7_keyfile0_load=”YES”
geli_label_disk7_keyfile0_type=”label/disk7:geli_keyfile0″
geli_label_disk7_keyfile0_name=”/boot/encryption.key”
Reboot and type the passphrase.. and again.. and again… etc.
Enjoy encrypted zpool under FreeBSD!
When you have the need to quickly ”pull the plug”, export the pool, and detach your encrypted drives (script candidate!):
zpool export tank
geli detach label/disk{0..7}.eli
These can be put into a one-liner:
zpool export tank && geli detach label/disk{0..7}.eli
The {0..7} is a shorthand command to include all drives, 0 through 7.
Just for convenience.
There you have it. Hope you enjoyed the guide!
Feel free to comment or ask me to add additional information.
Haye i para el main por primera vez aquí. Me encontré
con un haber encontrado este foro y me encuentro a verdaderamente útil útil y que me ayudó mucho mucho.
Espero oferta algo es una cosa atrás y Ayuda Ayuda otros como usted me ayudaron.
Soy un lector habitual visitante, como todos ustedes?
Este artículo publicado en este sitio es фактически agradable.
Undeniably believe that which you stated. Your
favorite reason seemed to be on the net the easiest thing to be aware of.
I say to you, I certainly get irked while people consider
worries that they just do not know about. You managed
to hit the nail upon the top and defined out the whole thing without having side
effect , people could take a signal. Will likely
be back to get more. Thanks
I had to leave my inhaler with the secretary we had a nurse only certain days of the week even though from my furthest classes to her office was a quarter-mile and I wouldn’t be able to do that if I was having an Ended up sneaking my other one in my backpack because like hell was I going to leave my one and only inhaler with a nurse five minutes
Hello, i see that your website loads very slow, it took around
7sec. to load this post. Do you know that page speed
is major ranking factor for google now? If you speed up your
site loading time you can rank higher and get more targeted
traffic. There is simple method for faster loading,
search for: Masitsu’s tricks