Problems moving existing pool to encrypted devices
Christian Walther
cptsalek at gmail.com
Wed Aug 29 02:12:00 PDT 2007
Hi,
after my previous questions concerning the use of zfs on encrypted
devices, I thought I give it a try.
Here is what I did:
tarmin# zpool export pool01
tarmin# dd if=/dev/urandom of=/dev/ad2 bs=1024k
tarmin# zpool import pool01
tarmin# zpool status
pool: pool01
state: ONLINE
status: One or more devices could not be used because the label is
missing or
invalid. Sufficient replicas exist for the pool to continue
functioning in a degraded state.
action: Replace the device using 'zpool replace'.
see: http://www.sun.com/msg/ZFS-8000-4J
scrub: resilver completed with 0 errors on Wed Aug 29 10:07:21 2007
config:
NAME STATE READ WRITE CKSUM
pool01 ONLINE 0 0 0
raidz1 ONLINE 0 0 0
ad4 ONLINE 0 0 0
ad6 ONLINE 0 0 0
387148737669265642 UNAVAIL 0 0 0 was /dev/ad2
errors: No known data errors
tarmin# geli init -K /root/ad2.key -s 4096 /dev/ad2
Enter new passphrase:
Reenter new passphrase:
geli: Cannot store metadata on /dev/ad2: Operation not permitted.
tarmin# zpool export pool01
tarmin# geli init -K /root/ad2.key -s 4096 /dev/ad2
Enter new passphrase:
Reenter new passphrase:
tarmin# geli attach -k /root/ad2.key /dev/ad2
Enter passphrase:
tarmin# ls /dev/ad2*
/dev/ad2 /dev/ad2.eli
tarmin# zpool import pool01
cannot import 'pool01': invalid vdev configuration
tarmin# zpool status
no pools available
Summary: I can't break a ZFS vdev and encrypt it, because every time the
pool is imported while a newly created /dev/ad2.eli is active, ZFS
complains about a wrong vdev configuration, rendering the pool useless.
The other way round doesn't work, too: ZFS seems to lock the device,
making geli initialization impossible.
From here my only possible way seems to be to buy another 400GB disk,
so that I can set it up correctly and can do a replace against the old
/dev/ad2. Afterwards I should be able to use /dev/ad2.eli as a
replacement for one of the other disks. So finally I can either bring
one of the disks back, or I have a spare disk.
Or am I probably missing something here, and there's another way I
didn't see?
Regards,
Christian
More information about the freebsd-current
mailing list