Can I have a hot spare with geli encrypted pool?

[jp83]

I'm using the geli encryption for my pool. Can I still designate an extra drive as a hot spare and have it be encrypted? I'd just want it to become the replacement after removing the failed drive.

Initially I didn't see it in the gui, and now that I found it in extra options, it's still not exactly clear. If I added a spare on the CLI then it would be the bare disk, without the geli wrapper, right? So I just want to make sure that the gui will do everything to set it up correctly and that this is still advisable?

 

[Ericloewe]

Good question. I suggest you try it out and tell us if the GUI handles that edge case.

 

[Chris Moore]

I'm using the geli encryption for my pool. Can I still designate an extra drive as a hot spare and have it be encrypted? I'd just want it to become the replacement after removing the failed drive.

Initially I didn't see it in the gui, and now that I found it in extra options, it's still not exactly clear. If I added a spare on the CLI then it would be the bare disk, without the geli wrapper, right? So I just want to make sure that the gui will do everything to set it up correctly and that this is still advisable?

You should not be doing anything with your pool from the command line. The pool should be defined and encrypted from the GUI during pool creation as it is documented to be done. If you deviate from that your results are unknown.
http://doc.freenas.org/11/storage.html?highlight=encrypt#storage

PS. Perhaps it is more accurate to say, unpredictable. Some changes made from the command line are not recognized by the GUI and that can prevent you from taking further management steps using the GUI.

 

[danb35]

If I added a spare on the CLI

Why would you? It's perfectly straightforward to do this through the GUI, and has a better chance of working properly with the encryption (though, like @Ericloewe and @Chris Moore, I can't tell you from experience whether it will actually work).

 

[Chris Moore]

A ZFS spare disk can be shared by more than one pool, so that spare would not be encrypted until it was used.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[jp83]

I finally got around to testing this on a separate virtualized setup (using 11.1). I can confirm that you can have hot spares available for an encrypted pool and this works pretty simply via the gui. I'm pretty sure though that it did the geli encryption when it was added as a spare, not right before it was used, so I'm not sure how it'd work if you tried to share it with another non-encrypted pool.

The only catch though in my setup was it didn't recognize the drive if I reattached it. I believe it was supposed to put it back, resliver, and make the spare a spare again. Again this was virtualized, and by the way, I set disk.EnableUUID to TRUE in ESXi 5.5 so that the unique serials essentially got passed through the vm. I think the problem is that zfs is looking for the geli wrapper to be restored, and just re-adding the disk it doesn't know to decrypt it. Maybe I could figure out the geli attach commands to bring it back, but that's probably not a likely scenario, if a disk failed, I want the spare to take over immediately and I won't want to have much of anything to do with the old one anyways. This does however leave the pool in degraded state until you detach the removed/failed drive. In the meantime it marks the spare as in use.

Actually, looking back at the actions in the gui, I may have misunderstood the reattached scenario. I guess you have the option to replace the failed drive (which will go through the geli process I thought was missing) and make the spare a spare again (after another resliver completes), or as I first did above let the spare take over and just add a new disk as a new spare. I tested this process and it worked as well.