Hi all,
I think I've figured out the steps required to do this, but wanted to double check before I go ahead and do anything.
Scenario: I have a 12x4TB RAIDZ3 vdev in my zpool. The pool is encrypted via geli. I know the passphrase, have the recovery key, have backed up the encryption key and have backed up the geli metadata from all disks. The vdev is configured as 8 data drives, 3 parity drives, 1 'warm' spare.
I'm running low on space and would like to add another 12 4tb drives to the pool. I intend to create a similar (8 / 3 / 1) RAIDZ3 vdev and then add it to the pool.
I just wanted to check if there is anything in particular regarding encryption I should be careful of.
As far as I understand, once I've created the encrypted vdev and added it to the pool, the passphrase and recovery key will be re-set so I should 'immediately recreate both' according to the docs (i.e. do NOT reboot). Should I be doing this by triggering 'create/change passphrase' on the volume or should I use 'encryption re-key'?
As far as I understand neither of these steps should wipe my data (each disk has it's own encryption key, re-keying just changes the key with which these disk keys are encrypted and stored in the geli metadata part of the disk)? Is there a reason to prefer one over the other?
Has anyone done this before? Anything else I should watch out for?
Your help is much appreciated!
I think I've figured out the steps required to do this, but wanted to double check before I go ahead and do anything.
Scenario: I have a 12x4TB RAIDZ3 vdev in my zpool. The pool is encrypted via geli. I know the passphrase, have the recovery key, have backed up the encryption key and have backed up the geli metadata from all disks. The vdev is configured as 8 data drives, 3 parity drives, 1 'warm' spare.
I'm running low on space and would like to add another 12 4tb drives to the pool. I intend to create a similar (8 / 3 / 1) RAIDZ3 vdev and then add it to the pool.
I just wanted to check if there is anything in particular regarding encryption I should be careful of.
As far as I understand, once I've created the encrypted vdev and added it to the pool, the passphrase and recovery key will be re-set so I should 'immediately recreate both' according to the docs (i.e. do NOT reboot). Should I be doing this by triggering 'create/change passphrase' on the volume or should I use 'encryption re-key'?
As far as I understand neither of these steps should wipe my data (each disk has it's own encryption key, re-keying just changes the key with which these disk keys are encrypted and stored in the geli metadata part of the disk)? Is there a reason to prefer one over the other?
Has anyone done this before? Anything else I should watch out for?
Your help is much appreciated!
