Can I encrypt an existing zpool with geli?

Place to ask questions about partitioning, labelling, filesystems, encryption or anything else related to storage area.

Can I encrypt an existing zpool with geli?

Postby thegolum35 » 06 Feb 2013, 15:18

Hi,

I am interested in encrypting my zpool but I have no idea of the way I could do so.

Here is my GPT scheme:
Code: Select all
Antonin# gpart show
=>       34  488397101  ada0  GPT  (232G)
         34        128     1  freebsd-boot  (64k)
        162    2097152     2  freebsd-ufs  (1.0G)
    2097314    4194304     3  freebsd-swap  (2.0G)
    6291618    4194304     4  freebsd-ufs  (2.0G)
   10485922   73400320     5  freebsd-ufs  (35G)
   83886242    2097152     6  freebsd-ufs  (1.0G)
   85983394  400556032     7  freebsd-zfs  (191G)
  486539426    1857709        - free -  (907M)

Antonin# mount
/dev/ada0p2 on / (ufs, local, journaled soft-updates)
devfs on /dev (devfs, local, multilabel)
/dev/ada0p4 on /var (ufs, local, journaled soft-updates)
/dev/ada0p5 on /usr (ufs, local, journaled soft-updates)
/dev/ada0p6 on /tmp (ufs, local, journaled soft-updates)
home on /usr/home (zfs, local, nfsv4acls)
home/compressed on /usr/home/compressed (zfs, local, nfsv4acls)


I guess I have to init geli on [file]/dev/ada0p7[/file] but I get
Code: Select all
geli: Cannot store metadata on /dev/ada0p7: Operation not permitted.


Thank you.
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 06 Feb 2013, 15:25

It's most likely mounted. Also keep in mind that enabling geli will destroy anything that's on there. It's not an 'in-place' encryption.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16196
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby Crivens » 07 Feb 2013, 08:45

SirDice is right, do not enable geli on partitons which contain data.

You could (wild idea!) do a kind-of in-place geli iff your pool would have raid functionality. That would mean to offline one disk at a time, wipe it, geli it, re-add it. After the resilver is complete, do the next one. It may work, but then, I would not do it that way if there is another way.
Optimists believe we live in the best world possible. Pessimists agree to this.

Two little lights, blinking out in a sky full of stars - we will never forget you. I miss you so much
User avatar
Crivens
Member
 
Posts: 753
Joined: 03 Oct 2010, 15:45

Postby bbzz » 07 Feb 2013, 10:44

That's what I did with mirror vdevs + one spare.

Attach extra disk to 2-mirror vdev encrypted, resilver. Detach another one, encrypt, resilver. Take out 3rd one and add to another vdev, repeat.

Given they were mirrors it wasn't that bad time wise.
bbzz
Member
 
Posts: 858
Joined: 04 Nov 2010, 01:07
Location: random

Postby xibo » 07 Feb 2013, 12:10

GELI adds metadata to a disk and therefore reduces the number of blocks available to the zpool AFAIK.

Therefore you would need to move the contents of the original zpool by hand (i.e. [FILE]cp[/FILE]/[FILE]cpio[/FILE]/[FILE]rsync[/FILE]/...) to a newly created and slightly smaller zpool created on the geli device instead of re-adding the geli device to the original zpool, and once completed, destroy the original pool, setup geli on the remaining devices and add them to the new pool.
xibo
Member
 
Posts: 373
Joined: 03 Dec 2010, 07:49
Location: Germany

Postby bbzz » 07 Feb 2013, 13:40

xibo wrote:GELI adds metadata to a disk and therefore reduces the number of blocks available to the zpool AFAIK.

Therefore you would need to move the contents of the original zpool by hand (i.e. [FILE]cp[/FILE]/[FILE]cpio[/FILE]/[FILE]rsync[/FILE]/...) to a newly created and slightly smaller zpool created on the geli device instead of re-adding the geli device to the original zpool, and once completed, destroy the original pool, setup geli on the remaining devices and add them to the new pool.


ZFS can tolerate small differences in size between two disks/partitions, so above is not really needed.

I did what I said without any problems.
bbzz
Member
 
Posts: 858
Joined: 04 Nov 2010, 01:07
Location: random


Return to Storage

Who is online

Users browsing this forum: No registered users and 0 guests