Can i add a new HDD to an encrypted array?

Fri May 1 11:34:22 UTC 2009

On Fri, May 01, 2009 at 09:02:46PM +1000, ghostcorps wrote:
> Thanks Roland,
> 
>  You have confirmed my worst fears. One thing though, apparently MatrixRAID
> is a 'Firmware RAID' system as opposed to hard or software.

That just means that the BIOS understands that RAID layout and knows how to
boot from a RAID array.  Otherwise it is just like any other software RAID.

(It is a fairly safe assumption that any 'RAID-controller' that is
built-in on a motherboard is actually software RAID.)

> I don't quite
> know how that would effect anything but that's all I can say really. It
> looks like I'm buying some more disks.
> 
> http://en.wikipedia.org/wiki/Intel_Matrix_RAID
> 
> Regards
> 
> 
> 
> On Fri, May 1, 2009 at 7:53 PM, Roland Smith <rsmith at xs4all.nl> wrote:
> 
> > On Fri, May 01, 2009 at 06:12:42PM +1000, ghostcorps wrote:
> > > Hi Guys,
> > >
> > >  This seems liek a really basic question, I expect a simple 'no', but I
> > > havn't found anything definative yet.
> > >
> > >  I currently have a hardware RAID5 array, using the Intel Matrix RAID
> > > capability onboard, encrypted with GELI.
> >
> > According to ataraid(4), Intel MatrixRAID is software RAID, not real
> > hardware RAID.
> >
> > > I need to add 2 new discs to the array. If I add a disc to the array and
> > > have it rebuilt with the Intel Matrix Storage Manager, prior to booting
> > > FreeBSD will that destroy the encrypted data?
> >
> > In short, no.
> >
> > The long answer is that the raid array functions at a level below GELI
> > which in turn is below the filesystem layer. GELI writes its metadata in
> > the last sector of the device, and the ffs(7) filesystem records the
> > size of the underlying device at creation time.
> >
> > Adding the two disks will make the array larger. The metadata for geli
> > will probably not be on the last sector anymore, so geli will not
> > recognize the enlarged device.
> >
> > So you'll have to save your data elsewhere, put in the extra disks,
> > recreate the array, re-initialize and attach the geli device for the new
> > array and newfs(8) the new geli device.
> >
> > >  If so, how can I decrypt the disk without copying the data to another
> > > partition?
> >
> > There are no tools for that at this time, although it should be feasable
> > by reading a (multiple of) block(s) from the geli device and then
> > writing it to the non-encrypted device. Note that whenever you write a
> > block to the unencrypted device, the contents of that block on the geli
> > device become gibberish! So you'll have to do the whole device, unless
> > you can beforehand make a list of all the blocks that are in use by the
> > filesystem. And if even a single block failed in transit, you're
> > potentially screwed.
> >
> > And even if you could perform this in-place decryption, you should make
> > a full backup anyway in case the procedure goes horribly wrong, which is
> > always a possibility. :-)
> >
> > If you want to decrypt the device in place because you don't have enough
> > backup capacity to store the contents of you raid array, you're aleady
> > in trouble even if you don't know it yet. What will you do if your RAID5
> > fails?
> >
> > Roland
> > --
> > R.F.Smith                                   http://www.xs4all.nl/~rsmith/<http://www.xs4all.nl/%7Ersmith/>
> > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
> > pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
> >
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013 at student.uu.se