Hey there, yet another thread on removing GELI encryption.
My Scenario
I have a small personal NAS on TrueNAS core 13.3-U1.2. The machine is 6 years old but it’s still the Mini that XI systems sells so hardware is fine, I haven’t even had a drive fail yet (knock on wood). I have 4 drives in raidz2 in a single pool with 6 datasets.
I am looking to move to Scale as Core is obviously deprecated at this point, and I want to make sure I keep up with security patches and have easier access to installing software now that plugins don’t work anymore on Core.
First step in my checklist is get my pool off of the Legacy Encryption (GELI).
It seems like there is no way to do remove this through the UI and I need to refer to this post from 2013 to do so.
So posting this as I have a few questions before I dive in.
Quick sanity check, does the above process from Patrick M. Hausen still apply?
Is there a way to go directly from GELI encryption to ZFS encryption on a pool?
Based on my research on how GELI and ZFS encryption works, with GELI operating at a disk level and ZFS at a pool level, this doesn’t seem possible, but I will ask just in case someone knows different.
Not sure if I could double encrypt and encrypt the pool and then remove the drive level encryption.
Is there a way to minimize sensitive data being on exposed on discarded drives?
I am worried about the persistence of unencrypted data. I basically encrypted my data so I could throw out a hard disk without worrying about throughly destroying the data, either through a multi-step pass or a drill. If my data is fully unencrypted and then encrypted again, it feels like I am at risk of a SSN or something else sensitive getting leaked. That may just be the price of decrypting the data.
The simplest and safest way to do what you want is to create a new pool with native ZFS encryption, and then replicate everything to it from the old pool.
If you don’t have extra drives, it will be very risky and require a lot of focus and patience to go from GELI → native ZFS encryption without destroying your pool. You will need enough free space on the existing pool to duplicate everything into new native encrypted datasets.
First, thanks for clarifying the ZFS encryption is at the dataset level, I was mistakingly thinking it was a pool level encryption, so good to have clarity on that.
I actually do have enough free space on my pool that if I was to convert each dataset, one by one, I could potentially convert them over.
What does that process look like? I’m envisioning something like.
Make a new dataset with enough space to hold an old dataset
Copy from old to new. (is there a ZFS way to clone a dataset?)
Copy all my SMB share info to the new dataset, turn off smb sharing on the old dataset.
Set up snapshotting for new dataset, delete old snapshotting tasks and delete old snapshots.
Delete old dataset.
When all datasets are ZFS encrypted, go through the Patrick Hausen method and remove GELI disk by disk, resilvering disks to get them unencrypted but it won’t matter because my datasets will be encrypted.
I am faltering at step 1 because I don’t even see an option to make a new ZFS encrypted dataset. It might be disabled due to my pool being GELI encrypted.
Sub question, if I was to just remove GELI without worrying about my drives not being encrypted, what is the process to move my existing datasets over to encrypted datasets? Would I just need to recreate and copy over data as outlined above or would there be an option to encrypt the existing dataset?
ZFS doesn’t care what the underlying devices are if you want to use native encryption for datasets. It is TrueNAS that prevents you from creating encrypted datasets if it detects you are using GELI encryption for the underlying partitions.
If you do not want to let your data touch an unencrypted space, you’ll need to do everything in the command-line, including the creation of new datasets with encryption. I’m not sure how the middleware/GUI will handle this.
You would have to do a one-time local replication with zfs send | zfs recv.
You would first replace all GELI partitions with non-GELI partitions in your vdev, and then create new encrypted datasets, and then replicate everything over to them.
This is the part that scares me. Could I potentially break my UI if I got down this route?
Otherwise it seems like the steps are largely the same. If I remove the GELI encryption first I still need to go through all the steps, aside from diving into the command line making the datasets by hand.
I’m not really sure what will happen. I don’t think anyone in this community has forced native encryption on a GELI pool with the command-line.
This is the safer approach. It does mean that you will have data temporarily saved unencrypted on the drives. This isn’t really an issue, unless a James Bond villain knows how to apply forensics on your drives to try to pull data from unused space that was never overwritten.
