Your pool must be able to survive loosing a disk (raidz1, raidz2, raidz3 or mirror), and you must be willing to accept the risk of reducing this redundancy by 1 disk during the conversion.
1. Start with your unencrypted pool:
2. Create your geli encryption key (in /tmp since it's one of the few writable directories):
3. Copy /tmp/geli.key to your computer, you can use winscp to do this in Windows.
4. Take your fist disk offline
5. Encrypt the partition on the disk you just took offline, using your generated key. Choose a strong passphrase. You will do this for each disk, use the same passphrase every time.
6. Attach the newly encrypted disk:
7. Replace the unencrypted disk in the zpool with the encrypted one. Wait for resilvering to complete:
8. Repeat steps 4-7 for the remaining disks:
9. Detach the pool from FreeNAS using the webgui. DO NOT CHECK "Mark the disks as new"!
10. Detach all your geli encrypted disks
11. Use Auto-Import to import your encrypted zfs volume into the FreeNAS gui. Choose "Yes: decrypt the disks"
12. Highlight the disks you encrypted. Click browse and upload the geli.key file you backed up to your computer in step 3. Type your passphrase.
13. Select your volume to import and click OK.
Warning, I have only tested this on FreeNAS-9.2.0-RC2 and I have not tested it with production data. Use at your own risk.
1. Start with your unencrypted pool:
Code:
[root@freenas1] ~# zpool status pool: tank state: ONLINE scan: none requested config: NAME STATE READ WRITE CKSUM tank ONLINE 0 0 0 raidz1-0 ONLINE 0 0 0 gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 gptid/58664317-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 errors: No known data errors
2. Create your geli encryption key (in /tmp since it's one of the few writable directories):
Code:
[root@freenas1] ~# dd if=/dev/random of=/tmp/geli.key bs=64 count=1 1+0 records in 1+0 records out 64 bytes transferred in 0.000033 secs (1945184 bytes/sec)
3. Copy /tmp/geli.key to your computer, you can use winscp to do this in Windows.
4. Take your fist disk offline
Code:
[root@freenas1] ~# zpool offline tank gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231 [root@freenas1] ~# zpool status pool: tank state: DEGRADED status: One or more devices has been taken offline by the administrator. Sufficient replicas exist for the pool to continue functioning in a degraded state. action: Online the device using 'zpool online' or replace the device with 'zpool replace'. scan: none requested config: NAME STATE READ WRITE CKSUM tank DEGRADED 0 0 0 raidz1-0 DEGRADED 0 0 0 7958761323130265714 OFFLINE 0 0 0 was /dev/gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231 gptid/58664317-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 errors: No known data errors
5. Encrypt the partition on the disk you just took offline, using your generated key. Choose a strong passphrase. You will do this for each disk, use the same passphrase every time.
Code:
[root@freenas1] ~# geli init -s 4096 -K /tmp/geli.key gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231 Enter new passphrase: Reenter new passphrase: Metadata backup can be found in /var/backups/gptid_57ef2eb6-6857-11e3-8b4f-000c296ed231.eli and can be restored with the following command: # geli restore /var/backups/gptid_57ef2eb6-6857-11e3-8b4f-000c296ed231.eli gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231
6. Attach the newly encrypted disk:
Code:
[root@freenas1] ~# geli attach -k /tmp/geli.key gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231 Enter passphrase:
7. Replace the unencrypted disk in the zpool with the encrypted one. Wait for resilvering to complete:
Code:
[root@freenas1] ~# zpool replace tank gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231 gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231.eli [root@freenas1] ~# zpool status pool: tank state: ONLINE scan: resilvered 356K in 0h0m with 0 errors on Wed Dec 18 18:53:58 2013 config: NAME STATE READ WRITE CKSUM tank ONLINE 0 0 0 raidz1-0 ONLINE 0 0 0 gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231.eli ONLINE 0 0 0 gptid/58664317-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 errors: No known data errors
8. Repeat steps 4-7 for the remaining disks:
Code:
[root@freenas1] ~# zpool offline tank gptid/58664317-6857-11e3-8b4f-000c296ed231 [root@freenas1] ~# geli init -s 4096 -K /tmp/geli.key gptid/58664317-6857-11e3-8b4f-000c296ed231 Enter new passphrase: Reenter new passphrase: Metadata backup can be found in /var/backups/gptid_58664317-6857-11e3-8b4f-000c296ed231.eli and can be restored with the following command: # geli restore /var/backups/gptid_58664317-6857-11e3-8b4f-000c296ed231.eli gptid/58664317-6857-11e3-8b4f-000c296ed231 [root@freenas1] ~# geli attach -k /tmp/geli.key gptid/58664317-6857-11e3-8b4f-000c296ed231 Enter passphrase: [root@freenas1] ~# zpool replace tank gptid/58664317-6857-11e3-8b4f-000c296ed231 gptid/58664317-6857-11e3-8b4f-000c296ed231.eli [root@freenas1] ~# zpool status pool: tank state: ONLINE scan: resilvered 364K in 0h0m with 0 errors on Wed Dec 18 18:56:38 2013 config: NAME STATE READ WRITE CKSUM tank ONLINE 0 0 0 raidz1-0 ONLINE 0 0 0 gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231.eli ONLINE 0 0 0 gptid/58664317-6857-11e3-8b4f-000c296ed231.eli ONLINE 0 0 0 gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 ONLINE 0 0 0 errors: No known data errors [root@freenas1] ~# zpool offline tank gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 [root@freenas1] ~# geli init -s 4096 -K /tmp/geli.key gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 Enter new passphrase: Reenter new passphrase: Metadata backup can be found in /var/backups/gptid_58abaa4a-6857-11e3-8b4f-000c296ed231.eli and can be restored with the following command: # geli restore /var/backups/gptid_58abaa4a-6857-11e3-8b4f-000c296ed231.eli gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 [root@freenas1] ~# geli attach -k /tmp/geli.key gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 Enter passphrase: [root@freenas1] ~# zpool replace tank gptid/58abaa4a-6857-11e3-8b4f-000c296ed231 gptid/58abaa4a-6857-11e3-8b4f-000c296ed231.eli [root@freenas1] ~# zpool status pool: tank state: ONLINE scan: resilvered 344K in 0h0m with 0 errors on Wed Dec 18 18:58:21 2013 config: NAME STATE READ WRITE CKSUM tank ONLINE 0 0 0 raidz1-0 ONLINE 0 0 0 gptid/57ef2eb6-6857-11e3-8b4f-000c296ed231.eli ONLINE 0 0 0 gptid/58664317-6857-11e3-8b4f-000c296ed231.eli ONLINE 0 0 0 gptid/58abaa4a-6857-11e3-8b4f-000c296ed231.eli ONLINE 0 0 0 errors: No known data errors
9. Detach the pool from FreeNAS using the webgui. DO NOT CHECK "Mark the disks as new"!
10. Detach all your geli encrypted disks
Code:
[root@freenas1] ~# geli detach /dev/gptid/*.eli
11. Use Auto-Import to import your encrypted zfs volume into the FreeNAS gui. Choose "Yes: decrypt the disks"
12. Highlight the disks you encrypted. Click browse and upload the geli.key file you backed up to your computer in step 3. Type your passphrase.
13. Select your volume to import and click OK.
Warning, I have only tested this on FreeNAS-9.2.0-RC2 and I have not tested it with production data. Use at your own risk.