Skip to content

Encrypting an existing raidz2

So, I decided to give this a try.. and this time in english. This is likely for a broader audience.

Having 8x 2TB drives in a raidz2, I was under the impression that this would force me to migrate the data first before I could  destroy and rebuild the whole pool using encrypted drive ”aliases” instead.

After more research inside a virtual machine with positive results I decided to do it for real.

So I present to you: ”FreeBSD – Encrypting an existing raidz2″.

As the existing raidz2 exists of eight drives, there will be one considerable amount of typing in every reboot of the server (one passphrase for each encrypted drive). As my server is not rebooted that ofted, the benefits outweight this.

First I export my pool, henceforth known as ”tank”. This is to be able to destroy one of the disks without problem.

zpool export tank

The destructive command that make this happen is credited the dd command:

dd if=/dev/zero of=/dev/label/disk0 bs=1M

Note that I use the label alias of the drive. I do like this because I like the label names better, and these are also non-changing, should I have to switch the order of the drives etc.

Before we start encrypting anything we need to have a key that is used when scrambling the data in the encrpytion process. We create this key via this command:

dd if=/dev/urandom of=/boot/encryption.key bs=4096 count=1

This will create a 4096 bytes large file with our goo of ingredients when encrypting our files. We could do really well with 2048 aswell, but what the heck, why not..

Now we get onto the first disk that will receive geli treatment:

geli init -b -B /boot/disk0.eli -e AES-XTS -K /boot/encryption.key -l 256 -s 4096 /dev/label/disk0

Enter your passphrase twice. And please, use a secure passphrase. Not what you have on facebook etc. This should be safe, not NSA-aware ;)

After this is done, we mount it so that we can use the disk through encryption:

geli attach -k /boot/encryption.key label/disk0

And enter the passphrase. Now you will have an alias you should use in the zpool (label/disk0.eli).
Sweet, now let us attach this prepared drive to our pool:

zpool import tank

If we check the pool now, it will report disk0 as unavailable:

zpool status tank

So, we replace the unavailable drive with the new one:

zpool replace tank label/disk0 label/disk0.eli

Let it resilver, or watch it:

zpool status tank

When done, the disk0 will be replaced with the eli-dito.
That was one drive.. seven more to go.
Repeat until done.
Now we just need to adjust the system to load our keyfile and setup geli when booting up.
Edit the /boot/loader.conf file and add these settings into it, or adjust accordingly.

aesni_load="YES"
geom_label_load="YES"
geom_eli_load="YES"

## Disk 0
geli_label_disk0_keyfile0_load=YES”
geli_label_disk0_keyfile0_type=”label/disk0:geli_keyfile0″
geli_label_disk0_keyfile0_name=”/boot/encryption.key”

## Disk 1
geli_label_disk1_keyfile0_load=”YES”
geli_label_disk1_keyfile0_type=”label/disk1:geli_keyfile0″
geli_label_disk1_keyfile0_name=”/boot/encryption.key”

## Disk 2
geli_label_disk2_keyfile0_load=”YES”
geli_label_disk2_keyfile0_type=”label/disk2:geli_keyfile0″
geli_label_disk2_keyfile0_name=”/boot/encryption.key”

## Disk 3
geli_label_disk3_keyfile0_load=”YES”
geli_label_disk3_keyfile0_type=”label/disk3:geli_keyfile0″
geli_label_disk3_keyfile0_name=”/boot/encryption.key”

## Disk 4
geli_label_disk4_keyfile0_load=”YES”
geli_label_disk4_keyfile0_type=”label/disk4:geli_keyfile0″
geli_label_disk4_keyfile0_name=”/boot/encryption.key”

## Disk 5
geli_label_disk5_keyfile0_load=”YES”
geli_label_disk5_keyfile0_type=”label/disk5:geli_keyfile0″
geli_label_disk5_keyfile0_name=”/boot/encryption.key”

## Disk 6
geli_label_disk6_keyfile0_load=”YES”
geli_label_disk6_keyfile0_type=”label/disk6:geli_keyfile0″
geli_label_disk6_keyfile0_name=”/boot/encryption.key”

## Disk 7
geli_label_disk7_keyfile0_load=”YES”
geli_label_disk7_keyfile0_type=”label/disk7:geli_keyfile0″
geli_label_disk7_keyfile0_name=”/boot/encryption.key”

Reboot and type the passphrase.. and again.. and again… etc.

Enjoy encrypted zpool under FreeBSD!

When you have the need to quickly ”pull the plug”, export the pool, and detach your encrypted drives (script candidate!):

zpool export tank
geli detach label/disk{0..7}.eli

These can be put into a one-liner:

zpool export tank && geli detach label/disk{0..7}.eli

The {0..7} is a shorthand command to include all drives, 0 through 7.
Just for convenience.

There you have it. Hope you enjoyed the guide!
Feel free to comment or ask me to add additional information.

11 Comments Post a comment
  1. Haye i para el main por primera vez aquí. Me encontré
    con un haber encontrado este foro y me encuentro a verdaderamente útil útil y que me ayudó mucho mucho.
    Espero oferta algo es una cosa atrás y Ayuda Ayuda otros como usted me ayudaron.
    Soy un lector habitual visitante, como todos ustedes?

    Este artículo publicado en este sitio es фактически agradable.

    oktober 6, 2015
  2. Undeniably believe that which you stated. Your
    favorite reason seemed to be on the net the easiest thing to be aware of.
    I say to you, I certainly get irked while people consider
    worries that they just do not know about. You managed
    to hit the nail upon the top and defined out the whole thing without having side
    effect , people could take a signal. Will likely
    be back to get more. Thanks

    mars 8, 2016
  3. I had to leave my inhaler with the secretary we had a nurse only certain days of the week even though from my furthest classes to her office was a quarter-mile and I wouldn’t be able to do that if I was having an Ended up sneaking my other one in my backpack because like hell was I going to leave my one and only inhaler with a nurse five minutes

    september 9, 2016
  4. Hello, i see that your website loads very slow, it took around
    7sec. to load this post. Do you know that page speed
    is major ranking factor for google now? If you speed up your
    site loading time you can rank higher and get more targeted
    traffic. There is simple method for faster loading,
    search for: Masitsu’s tricks

    november 28, 2016
  5. Only 5Per cent of systems start-up backing raised because the coronavirus lockdown commenced has gone to organizations rearing investment decision the first time,
    as outlined by up to date industry investigation.

    november 13, 2020
  6. vc #

    Not many are hurrying in. A year into startup crowdfunding,
    curiosity has actually been mixed: ”Everyone in the market thinking there’d be uptake,” Richard Swart,
    main approach police officer at NextGen, instructed
    Bloomberg.

    november 27, 2020
  7. Propietary dealflow: dealflow refers to the for the price
    in which brokers acquire organization proposals or investment presents.
    Limited to the individual- the probability of scoring great deals improves when this dealflow is propietary -as with.

    november 28, 2020
  8. But between 2010 and 2015, we saw a worldwide explosion in broadband and smartphone know-how,
    developments that ultimately got here to this part
    of the world.

    februari 15, 2021
  9. With this essay I will explain some of the social
    network dynamics inside of a fantastic new venture accelerator, and why these quite distinct dynamics support creativity and incubation.

    mars 10, 2021
  10. If you would like to increase your knowledge just keep visiting this web page and be updated with the most up-to-date gossip posted here.

    maj 2, 2022
  11. Online casinos suffer suit more and more popular in recent years, and the Combined Kingdom is no exception. With a growing add up of online casinos in the UK, players at once ingest more than options than e’er in front.

    Unity of the distinguish benefits of online casinos is public toilet. Players backside enjoy their preferent gambling casino games from the consolation of their own home, without having to jaunt to a forcible gambling casino. This makes online casinos an nonsuch select for players who springy ALIR away from a cassino or WHO don’t suffer the clock time to bring down one.

    Another profit of online casinos is the all-embracing assortment of games on offering. Online casinos offering everything from classic shelve games the like twenty-one and toothed wheel to the modish telecasting slots and reform-minded jackpots. This means that players hind end well uncovering games that lawsuit their tastes and preferences.

    In addition, many online casinos proffer bonuses and promotions to appeal new players and prevent existing ones coming backbone. These can let in receive bonuses, release spins, and trueness rewards. Players should forever interpret the damage and conditions of these offers to earn surely they see the wagering requirements and whatsoever other restrictions.

    When choosing an online casino, players should ever shuffling certain that the website is licensed by the UK Gaming Charge. This ensures that the gambling casino is operational de jure and that players are secure. Players should too expression for casinos that economic consumption reputable computer software providers to ascertain that the games are evenhandedly and random.

    Overall, online casinos get get a pop select for players in the UK. With their convenience, all-embracing set out of games, and magnetic bonuses, they extend a big alternative to traditional brick-and-mortar casinos. As retentive as players prefer a licenced and reputable casino, they tail relish a prophylactic and gratifying gambling feel from the solace of their ain home plate.

    september 23, 2023

Leave a Reply

You may use basic HTML in your comments. Your email address will not be published.

Subscribe to this comment feed via RSS