*New 11.3 series Release:
2019-10-05: XigmaNAS - released, 11.2 series are soon unsupported!

*New 12.0 series Release:
2019-10-05: XigmaNAS - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

Disk Encryption and ZFS - method questions.

Encrypting information and help
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
Posts: 23
Joined: 11 Sep 2014 10:02
Status: Offline

Disk Encryption and ZFS - method questions.


Post by ^nighthawk^ » 09 Nov 2015 03:44

Hi all,

Just like to say the board has been of great help so far in planning the setup and the testing of my NAS. However there comes a point where you realise you may not entirely get why something is done a particular way and that is why i'm here.

So Encryption, until we get ZFS Encryption built in which sounds like it could be fairly soon (next year or so), i've been wondering about how to do this. I read up on geli encryption and from an earlier thread was aware of some helpful and knowledgeable people pointing toward the use of glabels in setting up ZFS Pools.

Originally I wasn't going to encrypt, but I decided if its available.... why not.

I made the decision to encrypt and decided to encrypt each of the disks that would make up part of the various vdevs in my zfs pool.

Scouring the internet I found most people in FreeBSD appear to use glabels (or a GPT label), then use geli pointing to the glabel.


Code: Select all

glabel label -v blahdisk1 /dev/ada1
geli init -somearguments... /dev/label/blahdisk1

This results in blahdisk1.eli
I can see this works, and that having an Encypted Drive with the same label to present to your ZFS Pool is nice and all. But your still losing 4096 for the label (assuming 4k sectors) and 4096 for the geli sector at the end of the drive.
This does however present itself fairly neartly in nas4free when you want to Identify Disks, see if the right disk is attached and then you can add the disk to zfs in this method via the labelled.eli. Or maybe just the labels?


Well ... i went and did it the other way as I figured encrypting the drive first sounded like a great idea :twisted: , surely the last sector on the drive should be the geli data and not a glabel? (If i'm understanding this incorrectly just let me know). Then inside the encrypted disk, I created a glabel (relevant to the disk in question). We'll call it "DiskID" here.

so essentially I ended up with:

Code: Select all

geli init -somearguments /dev/ada1 (results in ada1.eli)
glabel label -v DiskID /dev/ada1.eli
I could not create a zpool in the nas4free web interface regardless of having disks attached or not with this method as it didnt recognise any disks under the GUI options for ZFS...even though i'd ZFS formatted them.

I created the zpool using:

Code: Select all

zpool create SOMEBIGTANK /dev/label/DiskID

Sync'd it in the GUI and its available and online.

Can anyone explain to me which is the best method and why? Also if I have done something incorrect please let me know...

I've made a few mistakes in this setup so far but its been good to play around and fault the pool and then trash my config completely and put it back again with only a minimum of fuss.

Interestingly I got the GUI to report the whole Pool and drives etc were unavailable, scanned and re-added disks, made sure they were on different ada's, messed with the zfs commands so that it reported a "line error" in the gui and it went white xD... then got on the console cleared the pool of errors, onlined all the encrypted disks via the labels then did a sync and it all worked again.... which made me very happy.

I still have reservations about if I have set it up right though... even though clearly geli list shows a 4096 difference in useable and the glabel inside the encryption shows that the zfs pool has 4096 less than that. (this seems correct from all i've read).

There is no serious data on the box yet so I will be wiping out this pool and everything i've done this far to...hopefully use pointers and advice to set it up in the recommended way if that makes life easier...

Finally I'm assuming you all don't put on the geli init -b flag on the ZFS storage disks as you don't need to boot from them right? Seems like its probably more for boot drives with data partitions in laptops and whatnot by the looks of the behaviour.

Please let me know if you want me to run any tests or have any advice and I wil make time to do so as its important I get this right. :D

Posts: 23
Joined: 11 Sep 2014 10:02
Status: Offline

Re: Disk Encryption and ZFS - method questions.


Post by ^nighthawk^ » 29 Nov 2015 12:05

Just wanted to say this method appears to work so far. I don't have any issues with it .....I've reset it all up without the -b flag on the encryption as that was preventing the NAS booting. I need to somehow get the script published by b0ssman to work (viewtopic.php?f=67&t=2165) or some kind of alternative (with somewhere to store it on embedded...) as manually adding the disks through the gui and restarting zfs is a pain.

Post Reply

Return to “Encryption”