FreeNAS feature suggestion

[SubnetMask]

When I first set up my FreeNAS and enabled encryption on my volumes, it wasn't clear that each VDev had a different GELI key, and that no matter which one you download, it's 'geli.key', so initially, I had only saved the one from the initial VDev. After learning that there are separate keys for each VDev, I saved the rest.

My suggestion, if it's possible, would be rather than have the keys export as 'geli.key' for all VDevs, have the keys export as 'geli_VDevName.key' or something along those lines. Yes, it's not hard to rename it as you're saving it, but for a noob that has a basic understanding but may not know all of the little nuances, it would make it 'more clear' that each VDev has a different key, as well as for everyone, make it harder for you to accidentally one VDev's key with the key from another VDev (I imagine pretty much everyone here at one time or another has accidentally overwritten something that they didn't want to overwrite).

Not a huge deal, just something that if it's not too hard to add, might be nice to add in for a future release.

 

[Chris Moore]

it wasn't clear that each VDed had a different GELI key,

I think your terminology may be wrong because I can't understand what you are saying.

Still, the developers do not monitor (normally) the forum and if you want some change in the function of the system it would require a feature request through: https://redmine.ixsystems.com/projects/freenas

 

[Apollo]

What @SubnetMask is saying is that when you have a volume made up of a couple Vdevs, each Vdev has its own encryption key and as a result, each Geli key needs to be all saved and named in a way that makes them unique to the Vdev they point to, rather than using the generic Geli.key and Geli-recovery.key.

 

[SubnetMask]

Well, maybe terminology has changed since the 'slideshow' you linked in my other thread was updated two and a half years ago... According to it, a 'VDev' or 'volume' ('VDed' was a typo) is the collection of disks that the dataset and zvol can then be created on - in FreeNAS, you go to storage, then you can select a VDev, and if it's encrypted, you have the option to Download the key - this is, best I can tell, a function of the VDev/volume, not the dataset or zvol built on top of it (In the GUI, it goes 'Volume' > 'Dataset' > 'ZVol').

Essentially, yes @Apollo.

 

[Chris Moore]

I have only dealt with pool encryption, but it has been a while. The only time I used encryption on a pool, there was a key, a recovery key and (if I recall correctly) a passphrase and all of those were entered at the level of the pool because the pool was made up of eight mirror vdevs. I certainly didn't need a separate key for each mirror pair. Perhaps things have changed.

 

[Ericloewe]

each Vdev has its own encryption key

It does not, as far as I am aware. It doesn't really make sense.

Every pool, yeah.

Well, maybe terminology has changed since the 'slideshow' you linked in my other thread was updated two and a half years ago...

It has not.

According to it, a 'VDev' or 'volume' ('VDed' was a typo) is the collection of disks that the dataset and zvol can then be created on

No. A pool (formerly incorrectly known as a "volume", but that's finally on the way out) is made up of vdevs that provide the actual storage. Pools then provide space for datasets (including zvols, which present virtual block devices)