Moving from GELI encryption to native encryption

TheDrifter363

Dabbler
Joined
Apr 17, 2017
Messages
10
Hey guys,

So I recently unencrypted my system, following that guide from 2013, and now I'm trying to figure out how to encrypt my data using the new native encryption in freenas 12. Here's my structure:
Data
----->Users (want to encrypt with password)
------------->Usernames
----->Media
------------->Movies
------------->TV Shows
------------->Music
------------->Torrents (want to encrypt with password)
----->"other stuff"

I've used up 25 TiB, and I have 15.3 TiB free. I have no spare HDDs, so I can't make another pool. When I decrypt with my stuff, I want the userdata and torrents to be decrypted at the same time with the same password. I only wanna enter the password once.

I was thinking I could do this with a new root dataset that was encrypted. Then I could have unencrypted stuff underneath like movies, tv shows, iocage, etc; and the userdata and torrents inherit the encryption. So when I restart the server, shares that rely on the unencrypted stuff, like movies, would still work, but I would have to decrypt the userdata and torrents, so those shares won't work.

I have no idea how to go about doing this. I initially made a new child dataset under Data, called root. This was encrypted, and I wanted to make root the new "root" dataset. That was confusing. I don't know if I have to copy everything over or if I could just use zfs mountpoints in a way. I don't have enough free space to copy everything over. You can see it by what I said above. I'm using 62% of my total space.

Any ideas? I saw this guy with a linux mint avatar, but his stuff looked complicated, and he required making a new pool, but I can't do that. No spare HDDs. All I have is free space.

Userdata totals around 3 TiB, while Torrents are at 5 TiB. I could probably reduce torrents, by moving stuff to the other datasets.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
I want the userdata and torrents to be decrypted at the same time with the same password. I only wanna enter the password once
Then you'll have to put them in a single structure (one parent and the other as a child of the same dataset).

Since encryption is set at dataset creation (and the root dataset is created at the moment of pool creation), you're going to need to abandon the idea of having the root dataset encrypted. Ultimately you can't rebuild the boat you're still sailing in.

You could just create another new encrypted child dataset (under the root level of the pool) and move everything into new datasets under that while staying in the same pool and still get to the result you're talking about.
 

TheDrifter363

Dabbler
Joined
Apr 17, 2017
Messages
10
Then you'll have to put them in a single structure (one parent and the other as a child of the same dataset).

Since encryption is set at dataset creation (and the root dataset is created at the moment of pool creation), you're going to need to abandon the idea of having the root dataset encrypted. Ultimately you can't rebuild the boat you're still sailing in.

You could just create another new encrypted child dataset (under the root level of the pool) and move everything into new datasets under that while staying in the same pool and still get to the result you're talking about.

Hmm, alright that could work. Thanks! So would I move stuff over with zfs send | zfs recv, or would I have to do rsync or cp -a? I'll be moving stuff from an unencrypted dataset to an encrypted dataset.
 
Last edited:

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
Send | recv may not work as it will want to create a new dataset in the target (which may break the inheritance you want).

You can always do the test first with a junk dataset and see if it works how you want.
 
Top