Solved Create first raidz or encryption?


New Member

Messages: 12

I'm trying to create encrypted raidz, but how?

If I understand correctly, I need to encrypt every disk before creating zpool, like this:

% sudo gpart add -t freebsd-zfs -l volume-enc0 ada2
% sudo gpart add -t freebsd-zfs -l volume-enc1 ada3
% sudo gpart add -t freebsd-zfs -l volume-enc2 ada4

% sudo geli init -l 256 /dev/gpt/volume-enc0
% sudo geli init -l 256 /dev/gpt/volume-enc1
% sudo geli init -l 256 /dev/gpt/volume-enc2

% sudo geli attach /dev/gpt/volume-enc0
% sudo geli attach /dev/gpt/volume-enc1
% sudo geli attach /dev/gpt/volume-enc2

% sudo zpool create -f enc-zpool raidz /dev/gpt/volume-enc0.eli /dev/gpt/volume-enc1.eli /dev/gpt/volume-enc2.eli

% sudo zfs set compression=lz4 enc-zpool

Ok, now I've rebooted. How to mount encrypted zpool?


New Member

Messages: 12

I made it again with different instructions:

dd if=/dev/random of=/root/ada2.key bs=64 count=1
dd if=/dev/random of=/root/ada3.key bs=64 count=1
dd if=/dev/random of=/root/ada4.key bs=64 count=1

geli init -s 4096 -K /root/ada2.key /dev/ada2
geli init -s 4096 -K /root/ada3.key /dev/ada3
geli init -s 4096 -K /root/ada4.key /dev/ada4

geli attach -k /root/ada2.key /dev/ada2
geli attach -k /root/ada3.key /dev/ada3
geli attach -k /root/ada4.key /dev/ada4

zpool create -f enc-zpool raidz ada2.eli ada3.eli ada4.eli

Then I made script to mount pool:

#!/usr/bin/env bash
devices=(ada2 ada3 ada4)

read -s -p 'password: ' pass
for name in "${devices[@]}"; do
    echo "mounting: $name"
    echo -n "$pass" | geli attach -j - -k "/root/geli/$name.key" "/dev/$name" || exit 1
echo "import: $zpool"
zpool import -R "$zpool"

Is it safe to keep key-files on unencrypted disk? I want to make file server and save files to encrypted zpool. Now I need to give password after every boot to open zpool. How to make this automatically? I've only ssh connection to server.

Eric A. Borisch

Aspiring Daemon

Reaction score: 362
Messages: 590

It depends on how paranoid you want to be. If you just want to be able to remove the encrypted drives at a later date and be able to say they are unreadable, sure. If the boot drive and the encrypted drives are compromised together, then the encryption is worthless. If this is at a cloud provider, you need to adjust your paranoia level appropriately for your data.

I typically use an empty pass phrase and a (created random) keyfile for encrypting the master key in this configuration. The keyfile is stored (root-only-readable) on the boot drive. (You can adjust how the master key is encrypted after creation with geli setkey.) You can also use a file with the password stored in it (or both a password file and keyfile).

Look at the geli_* options in /etc/defaults/rc.conf and add as appropriate to /etc/rc.conf; you shouldn’t need a custom script to decrypt at boot and import the pool, just appropriate geli_* options and zfs_enable="YES" in rc.conf. I also use geli_autodetach="NO" to avoid the automatic destruction of the geli devices if you export the pool for some reason.