How to add encrypted ZFS pool on FreeBSD server

ADVERTISEMENTS



I recently added hard disk to my FreeBSD based server. How do I configure an encrypted ZFS pool to store data on this disk? How can I add encrypted ZFS pool on FreeBSD 11.x server?ZFS is a file system for FreeBSD operating system. It is file system and logical volume manager originally designed by Sun Microsystems. A VDEV is nothing but a collection of a physical disk (such as /dev/vtbd2) file image, or ZFS software raid device, hot spare for ZFS raid. A zpool is nothing but a storage made of VDEVS (a collect of VDEVS). You can combine two or more physical disks or files or combination of both. This page shows how to create an encrypted ZFS pool on FreeBSD server when added a second hard disk to the server.

Type any one of the following command:

# camcontrol devlist

OR

# geom disk list



List current partitions

Run the following command:

# gpart show

List your existing zpool

Execute the following commands:

# zfs list

# zpool list

# zpool status



It is clear that /dev/vtbd0 and /dev/vtbd1 are used by zroot as mirror device. Thus /dev/vtbd2 left as unused device.

How to add encrypted ZFS pool on FreeBSD

Type the following gpart command to create a new partitioning scheme on a vtbd2. The -s gpt option determines the scheme to use:

# gpart create -s gpt vtbd2

vtbd2 created

Next add a new partition to the partitioning scheme given by geom:

# gpart add -t freebsd-zfs -l disk2-vol0 vtbd2

vtbd2p1 added

Where,

-t freebsd-zfs : Set type of the partition to freebsd-zfs i.e. a FreeBSD partition that contains a ZFS volume.

: Set type of the partition to freebsd-zfs i.e. a FreeBSD partition that contains a ZFS volume. -l disk2-vol0 : Set partition label name to disk2-vol0 i.e. /dev/gpt/disk2-vol0

: Set partition label name to disk2-vol0 i.e. /dev/gpt/disk2-vol0 vtbd2 : Device name

How to enable encryption with geli on FreeBSD for zfs

I am going to store critical data. So encrypting is essential for me. It is easy to setup with the aesni driver, geli and ZFS. geli is nothing but a block device-layer disk encryption system written for FreeBSD that uses the GEOM disk framework. The aesni driver used for the AES accelerator on Intel CPUs to speed up disk encryption. First add the following line to /boot/loader.conf:

# echo 'aesni_load="YES"' >> /boot/loader.conf

Load the FreeBSD aesni driver using the kldload command:

# kldload aesni

I am going to set up encryption for /dev/gpt/disk2-vol0, run:

# geli init -l 256 /dev/gpt/disk2-vol0



You need to use the above passphrase to attach the encrypted device at boot time or after rebooting the FreeBSD bare metal or cloud server. Where options for the geli command are as follows:

init : The geli utility is used to configure encryption on GEOM providers. Initialize the provider named /dev/gpt/disk2-vol0 which needs to be encrypted.

: The geli utility is used to configure encryption on GEOM providers. Initialize the provider named /dev/gpt/disk2-vol0 which needs to be encrypted. -l 256 : The default and recommended algorithm is AES-XTS and set data key length to 256 to use with the given cryptographic algorithm.

: The default and recommended algorithm is AES-XTS and set data key length to 256 to use with the given cryptographic algorithm. /dev/gpt/disk2-vol0 : Device name

Finally attach the given provider i.e./dev/gpt/disk2-vol0. The encrypted Master Key will be loaded from the metadata and decrypted using the given passphrase and a new GEOM provider will be created using the given provider’s name with an “.eli” suffix i.e. /dev/gpt/disk2-vol0.eli.

# geli attach /dev/gpt/disk2-vol0

# ls -l /dev/gpt/disk2-vol0*



View status of GEOM devices

# geli status

Sample outputs:

Name Status Components vtbd0p3.eli ACTIVE vtbd0p3 vtbd1p3.eli ACTIVE vtbd1p3 mirror/swap.eli ACTIVE mirror/swap gpt/disk2-vol0.eli ACTIVE gpt/disk2-vol0

I am going to use /dev/gpt/disk2-vol0.eli to create the zfs pool.

Create the zfs pool

Finally you need to set up the ZFS pool using zpool command:

# zpool create backup /dev/gpt/disk2-vol0.eli

Verify it:

# zpool list

# zpool status

# zfs list backup



How to mount device after system reboot

You need to type the following command:

# geli attach /dev/gpt/disk2-vol0

# zfs mount -a

# zfs get mounted backup

# zpool list

# zpool status

## use it again ##

# cd /backup

# ls -l

How to add two disks and configure an encrypted ZFS pool mirror block storage on FreeBSD

Let us say you have /dev/vtbd2 and /dev/vtbd3:

# gpart create -s gpt vtbd2

# gpart create -s gpt vtbd3

# gpart add -t freebsd-zfs -l disk2-vol0 vtbd2

# gpart add -t freebsd-zfs -l disk3-vol0 vtbd3

# geli init -l 256 /dev/gpt/disk2-vol0

# geli init -l 256 /dev/gpt/disk3-vol0

# geli attach /dev/gpt/disk2-vol0

# geli attach /dev/gpt/disk3-vol0

# geli status

# zpool create backupdisk mirror gpt/disk2-vol0.eli gpt/disk3-vol0.eli

# zpool list

# zpool status

Writing a shell script to mount zpool after rebooting the FreeBSD box left as an exercise to readers.

Conclusion

You just learned how to use block storage/additional disks to create encrypted file system zfs for your setup. For more info see gpart, geli, zpool man pages and ZFS book.