Can i add a new HDD to an encrypted array?
rsmith at xs4all.nl
Fri May 1 10:03:12 UTC 2009
On Fri, May 01, 2009 at 06:12:42PM +1000, ghostcorps wrote:
> Hi Guys,
> This seems liek a really basic question, I expect a simple 'no', but I
> havn't found anything definative yet.
> I currently have a hardware RAID5 array, using the Intel Matrix RAID
> capability onboard, encrypted with GELI.
According to ataraid(4), Intel MatrixRAID is software RAID, not real
> I need to add 2 new discs to the array. If I add a disc to the array and
> have it rebuilt with the Intel Matrix Storage Manager, prior to booting
> FreeBSD will that destroy the encrypted data?
In short, no.
The long answer is that the raid array functions at a level below GELI
which in turn is below the filesystem layer. GELI writes its metadata in
the last sector of the device, and the ffs(7) filesystem records the
size of the underlying device at creation time.
Adding the two disks will make the array larger. The metadata for geli
will probably not be on the last sector anymore, so geli will not
recognize the enlarged device.
So you'll have to save your data elsewhere, put in the extra disks,
recreate the array, re-initialize and attach the geli device for the new
array and newfs(8) the new geli device.
> If so, how can I decrypt the disk without copying the data to another
There are no tools for that at this time, although it should be feasable
by reading a (multiple of) block(s) from the geli device and then
writing it to the non-encrypted device. Note that whenever you write a
block to the unencrypted device, the contents of that block on the geli
device become gibberish! So you'll have to do the whole device, unless
you can beforehand make a list of all the blocks that are in use by the
filesystem. And if even a single block failed in transit, you're
And even if you could perform this in-place decryption, you should make
a full backup anyway in case the procedure goes horribly wrong, which is
always a possibility. :-)
If you want to decrypt the device in place because you don't have enough
backup capacity to store the contents of you raid array, you're aleady
in trouble even if you don't know it yet. What will you do if your RAID5
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20090501/5ab17fc8/attachment.pgp
More information about the freebsd-stable