Problems moving existing pool to encrypted devices

From: Christian Walther <cptsalek_at_gmail.com>
Date: Wed, 29 Aug 2007 10:45:18 +0000
Hi,

after my previous questions concerning the use of zfs on encrypted 
devices, I thought I give it a try.

Here is what I did:

tarmin# zpool export pool01
tarmin# dd if=/dev/urandom of=/dev/ad2 bs=1024k
tarmin# zpool import pool01
tarmin# zpool status
  pool: pool01
 state: ONLINE
status: One or more devices could not be used because the label is 
missing or
        invalid.  Sufficient replicas exist for the pool to continue
        functioning in a degraded state.
action: Replace the device using 'zpool replace'.
   see: http://www.sun.com/msg/ZFS-8000-4J
 scrub: resilver completed with 0 errors on Wed Aug 29 10:07:21 2007
config:

        NAME                    STATE     READ WRITE CKSUM
        pool01                  ONLINE       0     0     0
          raidz1                ONLINE       0     0     0
            ad4                 ONLINE       0     0     0
            ad6                 ONLINE       0     0     0
            387148737669265642  UNAVAIL      0     0     0  was /dev/ad2

errors: No known data errors
tarmin# geli init -K /root/ad2.key -s 4096 /dev/ad2
Enter new passphrase:
Reenter new passphrase:
geli: Cannot store metadata on /dev/ad2: Operation not permitted.
tarmin# zpool export pool01
tarmin# geli init -K /root/ad2.key -s 4096 /dev/ad2
Enter new passphrase:
Reenter new passphrase:
tarmin# geli attach -k /root/ad2.key /dev/ad2
Enter passphrase:
tarmin# ls /dev/ad2*
/dev/ad2        /dev/ad2.eli
tarmin# zpool import pool01
cannot import 'pool01': invalid vdev configuration
tarmin# zpool status
no pools available

Summary: I can't break a ZFS vdev and encrypt it, because every time the 
pool is imported while a newly created /dev/ad2.eli is active, ZFS 
complains about a wrong vdev configuration, rendering the pool useless. 
The other way round doesn't work, too: ZFS seems to lock the device, 
making geli initialization impossible.

 From here my only possible way seems to be to buy another 400GB disk, 
so that I can set it up correctly and can do a replace against the old 
/dev/ad2. Afterwards I should be able to use /dev/ad2.eli as a 
replacement for one of the other disks. So finally I can either bring 
one of the disks back, or I have a spare disk.

Or am I probably missing something here, and there's another way I 
didn't see?

Regards,
Christian
Received on Wed Aug 29 2007 - 07:12:00 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:16 UTC