Just like to say the board has been of great help so far in planning the setup and the testing of my NAS. However there comes a point where you realise you may not entirely get why something is done a particular way and that is why i'm here.
So Encryption, until we get ZFS Encryption built in which sounds like it could be fairly soon (next year or so), i've been wondering about how to do this. I read up on geli encryption and from an earlier thread was aware of some helpful and knowledgeable people pointing toward the use of glabels in setting up ZFS Pools.
Originally I wasn't going to encrypt, but I decided if its available.... why not.
I made the decision to encrypt and decided to encrypt each of the disks that would make up part of the various vdevs in my zfs pool.
Scouring the internet I found most people in FreeBSD appear to use glabels (or a GPT label), then use geli pointing to the glabel.
Code: Select all
glabel label -v blahdisk1 /dev/ada1 geli init -somearguments... /dev/label/blahdisk1
This results in blahdisk1.eli
I can see this works, and that having an Encypted Drive with the same label to present to your ZFS Pool is nice and all. But your still losing 4096 for the label (assuming 4k sectors) and 4096 for the geli sector at the end of the drive.
This does however present itself fairly neartly in nas4free when you want to Identify Disks, see if the right disk is attached and then you can add the disk to zfs in this method via the labelled.eli. Or maybe just the labels?
Well ... i went and did it the other way as I figured encrypting the drive first sounded like a great idea , surely the last sector on the drive should be the geli data and not a glabel? (If i'm understanding this incorrectly just let me know). Then inside the encrypted disk, I created a glabel (relevant to the disk in question). We'll call it "DiskID" here.
so essentially I ended up with:
Code: Select all
geli init -somearguments /dev/ada1 (results in ada1.eli) glabel label -v DiskID /dev/ada1.eli
I created the zpool using:
Code: Select all
zpool create SOMEBIGTANK /dev/label/DiskID
Can anyone explain to me which is the best method and why? Also if I have done something incorrect please let me know...
I've made a few mistakes in this setup so far but its been good to play around and fault the pool and then trash my config completely and put it back again with only a minimum of fuss.
Interestingly I got the GUI to report the whole Pool and drives etc were unavailable, scanned and re-added disks, made sure they were on different ada's, messed with the zfs commands so that it reported a "line error" in the gui and it went white xD... then got on the console cleared the pool of errors, onlined all the encrypted disks via the labels then did a sync and it all worked again.... which made me very happy.
I still have reservations about if I have set it up right though... even though clearly geli list shows a 4096 difference in useable and the glabel inside the encryption shows that the zfs pool has 4096 less than that. (this seems correct from all i've read).
There is no serious data on the box yet so I will be wiping out this pool and everything i've done this far to...hopefully use pointers and advice to set it up in the recommended way if that makes life easier...
Finally I'm assuming you all don't put on the geli init -b flag on the ZFS storage disks as you don't need to boot from them right? Seems like its probably more for boot drives with data partitions in laptops and whatnot by the looks of the behaviour.
Please let me know if you want me to run any tests or have any advice and I wil make time to do so as its important I get this right.