1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can I encrypt an existing zpool with geli?

Discussion in 'Storage' started by thegolum35, Feb 6, 2013.

  1. thegolum35

    thegolum35 New Member

    Thanks Received:

    I am interested in encrypting my zpool but I have no idea of the way I could do so.

    Here is my GPT scheme:
    Antonin# gpart show
    =>       34  488397101  ada0  GPT  (232G)
             34        128     1  freebsd-boot  (64k)
            162    2097152     2  freebsd-ufs  (1.0G)
        2097314    4194304     3  freebsd-swap  (2.0G)
        6291618    4194304     4  freebsd-ufs  (2.0G)
       10485922   73400320     5  freebsd-ufs  (35G)
       83886242    2097152     6  freebsd-ufs  (1.0G)
       85983394  400556032     7  freebsd-zfs  (191G)
      486539426    1857709        - free -  (907M)
    Antonin# mount
    /dev/ada0p2 on / (ufs, local, journaled soft-updates)
    devfs on /dev (devfs, local, multilabel)
    /dev/ada0p4 on /var (ufs, local, journaled soft-updates)
    /dev/ada0p5 on /usr (ufs, local, journaled soft-updates)
    /dev/ada0p6 on /tmp (ufs, local, journaled soft-updates)
    home on /usr/home (zfs, local, nfsv4acls)
    home/compressed on /usr/home/compressed (zfs, local, nfsv4acls)

    I guess I have to init geli on /dev/ada0p7 but I get
    geli: Cannot store metadata on /dev/ada0p7: Operation not permitted.

    Thank you.
  2. SirDice

    SirDice Moderator Staff Member Moderator

    Thanks Received:
    It's most likely mounted. Also keep in mind that enabling geli will destroy anything that's on there. It's not an 'in-place' encryption.
  3. Crivens

    Crivens Moderator Staff Member Moderator

    Thanks Received:
    SirDice is right, do not enable geli on partitons which contain data.

    You could (wild idea!) do a kind-of in-place geli iff your pool would have raid functionality. That would mean to offline one disk at a time, wipe it, geli it, re-add it. After the resilver is complete, do the next one. It may work, but then, I would not do it that way if there is another way.
  4. bbzz

    bbzz Member

    Thanks Received:
    That's what I did with mirror vdevs + one spare.

    Attach extra disk to 2-mirror vdev encrypted, resilver. Detach another one, encrypt, resilver. Take out 3rd one and add to another vdev, repeat.

    Given they were mirrors it wasn't that bad time wise.
  5. xibo

    xibo Member

    Thanks Received:
    GELI adds metadata to a disk and therefore reduces the number of blocks available to the zpool AFAIK.

    Therefore you would need to move the contents of the original zpool by hand (i.e. cp/cpio/rsync/...) to a newly created and slightly smaller zpool created on the geli device instead of re-adding the geli device to the original zpool, and once completed, destroy the original pool, setup geli on the remaining devices and add them to the new pool.
  6. bbzz

    bbzz Member

    Thanks Received:
    ZFS can tolerate small differences in size between two disks/partitions, so above is not really needed.

    I did what I said without any problems.