How does disk resilvering work with a geli-encrypted zfs installation?

I saw that 13.0-RELEASE came out and so I decided to take the opportunity to move my server from CentOS back to freebsd (I was previously a longtime user of FreeBSD but I switched a while back for reasons I can't quite remember).

I decided during installation that I would like to encrypt my disks, which is not something I normally do with a server. I have 8 disks in a single raidz2 ZFS pool, using the default options with root on ZFS.

Something that seems like it may be a problem though, is what happens when I need to replace a failed disk. Do I just insert the disk and run a zfs replace like normal, and everything happens automatically? Or do additional steps need to be taken to ensure the new disk is encrypted properly like the others?

I couldn't find anything with Google but it seems like this is potentially going to be a problem for me down the road, so I thought I'd ask before it happens.
 
From ZFS' perspective, this is a normal unencrypted pool, just using .eli devices. So, before you zfs replace, just run the appropriate geli init and geli attach to provide the new .eli device.
 
FreeBSD 13.0 comes with OpenZFS 2.0, which has native built-in encryption. If you use that instead of geli, you won't get the same full metadata protection, but your pool will be inter-operable with Linux (which is impossible with geli), adding/replacing disks will be less of a headache, and you can send "pre-encrypted" datasets into other pools.
 
mtu you forgot one drawback, FreeBSD can't boot from a zfs-encrypted root dataset ;) But apart from that, yes, that's more or less the tradeoffs.
 
As an alternative solution you could partition all disks and use partitions of those disks to split it into two pools - rpool and data (encrypted).
 
FreeBSD 13.0 comes with OpenZFS 2.0, which has native built-in encryption. If you use that instead of geli, you won't get the same full metadata protection, but your pool will be inter-operable with Linux (which is impossible with geli), adding/replacing disks will be less of a headache, and you can send "pre-encrypted" datasets into other pools.
there are some quirks still with ZFS encryption ... see my mailing list post at https://marc.info/?l=freebsd-fs&m=161450464315911&w=2

Also note: for performance, geli is a much better solution than native encryption.
 
  • Thanks
Reactions: mtu
Back
Top