Experiences with legacy geli encryption on TrueNAS 13?

[Dwarf Cavendish]

Back in the day I installed my NAS with FreeNAS 11.1 and made use of geli encryption for the main data pool. I have been upgrading ever since, without many issues. I do now know that geli encryption is legacy encryption, which means that at some point support for it will probably be dropped. This makes me a bit wary about upgrading to TrueNAS Core 13.

I looked at this subforum's topic listing to see if there was any mention of legacy geli encryption, but didn't see anything. I have also looked over the TrueNAS Core 13 release notes and I saw no mention of the removal of geli support.

So my question: can anyone who also has geli encrypted pools share some experiences? Or is there really no reason to worry at all?

 

[Redcoat]

Forum member @winnielinnie has written extensively on this and related topics. I suggest a search for "encryption" and "winnielinnie" and you'll find lots of good info provided by a very responsive member here.

 

[Dwarf Cavendish]

I will, thanks. That reminds me, that having the system dataset on an encrypted pool is also something that's legacy by now. So I'd better plan all of this carefully .

 

[Dwarf Cavendish]

Okay, I have sniffed through the posts of @winnielinnie a bit and it looks like definitely a lot of good information in there about moving away from GELI. Which I want. But what remains is the question if it's necessary for migrating to TrueNAS 13. I suppose I could just see if it works and revert to 12 if it doesn't. The release notes at least don't indicate dropping support for it.

In any case it's a good incentive for me to get rid of it. Encryption is one of those things that make my family's access to our home server rather... dependent on me.

 

[winnielinnie]

If you want to "play it safe" for now, you can still import pools with underlying GELI devices in TrueNAS Core 13. (Whether they remove this feature/support in future versions of Core is yet to be seen. However, SCALE is completely out of the question, since it is Linux-based.) Make sure you have your keys exported, and even test that they work correctly to import the pool before upgrading and re-importing with TrueNAS Core 13. I'm not sure if upgrading from 12.x -> 13.x will automatically import the pool, but it's possible (because the GELI keys are stored on the boot-pool, unless you explicitly export the storage pool.)

You can do what I did and "conveniently" schedule yourself an upgrade along with migration as a single project. That way you don't feel rushed nor hastily try to migrate with limited drives (playing a precarious juggling game.)

Encryption state of the art

Hi, I've been using full disk encryption for a long time, since 2009 IIRC... When I first started out with FreeNAS, that is one feature I turned on right out of the bat and I've had my sweats with it over the years but, ultimately, no regrets. Right now, I'm in a bind. I've upgraded to TrueNAS...

www.truenas.com

Regardless, having up-to-date backups is mandatory no matter which route you persue.

 

[Dwarf Cavendish]

That it's still possible to import my pool is very reassuring. That makes me condifent enough to order a RAM upgrade for my server, make sure I have multiple local back-ups and go with it. That should give me some breathing room to plan getting rid of GELI on a moment that suits me.

Thanks !

 

[Mastakilla]

fyi:
I just upgraded from TrueNAS CORE 12U8.1 to 13U2 with a GELI pool and it properly added the GELI pool automatically...

I'm kinda stuck on GELI for now, since I don't have an additional pool with the same size to temporarily store my data :/

 

[Dwarf Cavendish]

I think that I will use an external harddisk the size of my pool + zfs send/receive to get rid of GELI. Should be a fun christmas project...

 

[winnielinnie]

I think that I will use an external harddisk the size of my pool + zfs send/receive to get rid of GELI.

There's an inherent risk involved with this method.

All of your data will exist only on a single non-redundant external USB drive. This means that if the USB drive were to fail when you try to copy everything back over to the new pool, you could potentially lose everything.

 

[Dwarf Cavendish]

There's an inherent risk involved with this method.

All of your data will exist only on a single non-redundant external USB drive. This means that if the USB drive were to fail when you try to copy everything back over to the new pool, you could potentially lose everything.

I know, thanks for the concern .

I'm still debating whether I'd want to have a second drive for mirrorring. Also, I regularly make back-ups to VeraCrypt containers that I keep on several hard drives, on top of a sync to Backblaze B2 that runs multiple times a day. It would be wise if I checked restoring stuff from some of these back-ups prior to the operation (which I really should be doing regularly anyway, improvement point for me) and also if I double-checked if the cloud back-up cron job isn't still running (which could wipe my back-ups), but otherwise I think I'm in a pretty good shape to recover from messing up my pool .

 

[Mastakilla]

I've been running TrueNAS 13 with my legacy GELI pool for almost 6 months now, without any problems...

As I'm happy the new release, I wanted to "complete" my upgrade to TrueNAS 13. So I've upgrade my jails to the new release and I also wanted to upgrade my pools feature-flags...

But then I remembered that there was this issue with my pool having GELI encryption which was no longer actively supported...
Is my assumption correct that (although the GUI does offer to upgrade my pool) I should NOT upgrade my pools feature-flags, as long as I have GELI encryption?

 

[winnielinnie]

I should NOT upgrade my pools feature-flags, as long as I have GELI encryption?

Those are two separate things.

GELI involves the underlying block devices.

The "pool features" involve compatibility with older versions of ZFS.

It's up to you if you want to "upgrade" your zpools, regardless on whether or not your block devices are encrypted with GELI.

For example, you could be using UFS atop a GELI-encrypted block device. GELI is not a part of (nor related to) ZFS.

Personally, I don't upgrade my pools. I have yet to stumble across a reason to do so.

 

[Mastakilla]

Thanks for the clarification!