How does disk resilvering work with a geli-encrypted zfs installation?

puppyboy

Member

Reaction score: 6
Messages: 54

I saw that 13.0-RELEASE came out and so I decided to take the opportunity to move my server from CentOS back to freebsd (I was previously a longtime user of FreeBSD but I switched a while back for reasons I can't quite remember).

I decided during installation that I would like to encrypt my disks, which is not something I normally do with a server. I have 8 disks in a single raidz2 ZFS pool, using the default options with root on ZFS.

Something that seems like it may be a problem though, is what happens when I need to replace a failed disk. Do I just insert the disk and run a zfs replace like normal, and everything happens automatically? Or do additional steps need to be taken to ensure the new disk is encrypted properly like the others?

I couldn't find anything with Google but it seems like this is potentially going to be a problem for me down the road, so I thought I'd ask before it happens.
 

Zirias

Son of Beastie

Reaction score: 1,772
Messages: 3,015

From ZFS' perspective, this is a normal unencrypted pool, just using .eli devices. So, before you zfs replace, just run the appropriate geli init and geli attach to provide the new .eli device.
 

mtu

Active Member

Reaction score: 121
Messages: 168

FreeBSD 13.0 comes with OpenZFS 2.0, which has native built-in encryption. If you use that instead of geli, you won't get the same full metadata protection, but your pool will be inter-operable with Linux (which is impossible with geli), adding/replacing disks will be less of a headache, and you can send "pre-encrypted" datasets into other pools.
 

Zirias

Son of Beastie

Reaction score: 1,772
Messages: 3,015

mtu you forgot one drawback, FreeBSD can't boot from a zfs-encrypted root dataset ;) But apart from that, yes, that's more or less the tradeoffs.
 

_martin

Daemon

Reaction score: 407
Messages: 1,243

As an alternative solution you could partition all disks and use partitions of those disks to split it into two pools - rpool and data (encrypted).
 

rootbert

Well-Known Member

Reaction score: 192
Messages: 440

FreeBSD 13.0 comes with OpenZFS 2.0, which has native built-in encryption. If you use that instead of geli, you won't get the same full metadata protection, but your pool will be inter-operable with Linux (which is impossible with geli), adding/replacing disks will be less of a headache, and you can send "pre-encrypted" datasets into other pools.
there are some quirks still with ZFS encryption ... see my mailing list post at https://marc.info/?l=freebsd-fs&m=161450464315911&w=2

Also note: for performance, geli is a much better solution than native encryption.
 
  • Thanks
Reactions: mtu
Top