FreeNAS_DIY
Cadet
- Joined
- Jul 20, 2014
- Messages
- 6
Hello!
I am new to this forum so I hope this might be a appropiate place for my post.
At the moment I have a FreeNas testsystem running (9.2.1.6) and I am wondering about the proper use of geli for pool encryption.
My setup is an Asus P9D-X, 8GB ECC-RAM, i3-4130, 6x 3TB WD Red,Raid Z2, booting from a Transcend JetFlash 600, 8GB USB2.0 Flash Drive.
(To be honest the whole system boots only every second time successfully, although all USB3.0 functions are disabled. But this is different problem, perhaps for a different thread ;))
Later on the NAS will serve as a backup medium for all kind of personal data. That means that the NAS is only switched on for short periods of time, namely while data is transfered to or from the NAS. A manual backup of the NAS will be performed on an external USB drive on an regular basis, too.
The testsystem runs already Geli encryption and so far I have no problems with it.
But during my "study phase" before building the NAS I read some posting here which contained some kind of warning using Geli/FreeNAS encryption. As I would like to protect my NAS against data abuse after theft, I want to definitely use some kind of encryption.
So what are the caveats I have to care about if I use Geli for encryption?
I already have saved the metadata of every disk using the command found in this thread and script: http://forums.freenas.org/index.php...ks-from-single-freenas-primary-storage.17316/
Regrettably I wasn't able to get the complete script running, so I did a backup manually using this command for every disk.
The script elifun-0.3 found in the same thread at page 2 didn't work either for me. To be honest I have to admit that I am new to the UNIX stuff in general and especially to the scripting language.
If I am correct, then in case of a failure, i.e. the block wich contains the geli metadata is damaged, I only have to mount an USB flash drive, restore the saved metadata to all the disks and everything should be fine. Or am I wrong?
Are there any other problems related to Geli which can cause a complete data loss of the whole pool in a single (or double) point of failure situation? Or do I have to save further configuration data, additional key-data or something else on an external flash drive to prevent data loss due to damaged encryption?
Is using a huge Truecrypt container the better alternative, although Truecrypt seems to be officially dead at the moment? I assume using a single 10TB file or even two 5TB files may also not problem free. Does anyone have experiences with this kind of configuration?
Please keep in mind that the NAS is build for the porpuse to be a rocksolid, diskfailure proofed backup medium. That is why I am using RaidZ2. The data should be safe by any means! (Of course only as far as RaidZ2 and ZFS allows, but I don't want to introduce am additional point of failure which renders the safety thoughts useless and which introduces new weak points to the system.)
Thanks for your opinions and recommendations.
Kind regards from a FreeNAS beginner!
I am new to this forum so I hope this might be a appropiate place for my post.
At the moment I have a FreeNas testsystem running (9.2.1.6) and I am wondering about the proper use of geli for pool encryption.
My setup is an Asus P9D-X, 8GB ECC-RAM, i3-4130, 6x 3TB WD Red,Raid Z2, booting from a Transcend JetFlash 600, 8GB USB2.0 Flash Drive.
(To be honest the whole system boots only every second time successfully, although all USB3.0 functions are disabled. But this is different problem, perhaps for a different thread ;))
Later on the NAS will serve as a backup medium for all kind of personal data. That means that the NAS is only switched on for short periods of time, namely while data is transfered to or from the NAS. A manual backup of the NAS will be performed on an external USB drive on an regular basis, too.
The testsystem runs already Geli encryption and so far I have no problems with it.
But during my "study phase" before building the NAS I read some posting here which contained some kind of warning using Geli/FreeNAS encryption. As I would like to protect my NAS against data abuse after theft, I want to definitely use some kind of encryption.
So what are the caveats I have to care about if I use Geli for encryption?
I already have saved the metadata of every disk using the command found in this thread and script: http://forums.freenas.org/index.php...ks-from-single-freenas-primary-storage.17316/
Code:
geli backup $disk `camcontrol identify ${disk%p2} | grep serial | tr -s \ | cut -d \ -f 3-`.eli
Regrettably I wasn't able to get the complete script running, so I did a backup manually using this command for every disk.
The script elifun-0.3 found in the same thread at page 2 didn't work either for me. To be honest I have to admit that I am new to the UNIX stuff in general and especially to the scripting language.
If I am correct, then in case of a failure, i.e. the block wich contains the geli metadata is damaged, I only have to mount an USB flash drive, restore the saved metadata to all the disks and everything should be fine. Or am I wrong?
Are there any other problems related to Geli which can cause a complete data loss of the whole pool in a single (or double) point of failure situation? Or do I have to save further configuration data, additional key-data or something else on an external flash drive to prevent data loss due to damaged encryption?
Is using a huge Truecrypt container the better alternative, although Truecrypt seems to be officially dead at the moment? I assume using a single 10TB file or even two 5TB files may also not problem free. Does anyone have experiences with this kind of configuration?
Please keep in mind that the NAS is build for the porpuse to be a rocksolid, diskfailure proofed backup medium. That is why I am using RaidZ2. The data should be safe by any means! (Of course only as far as RaidZ2 and ZFS allows, but I don't want to introduce am additional point of failure which renders the safety thoughts useless and which introduces new weak points to the system.)
Thanks for your opinions and recommendations.
Kind regards from a FreeNAS beginner!