Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

TrueNAS Core and legacy GELI encryption

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

q/pa

Member
Joined
Mar 16, 2015
Messages
48
Hi all,

I just read that "TrueNAS replaced GELI encryption with ZFS native cryptography in the version 12.0 release".

Can anyone explain to me what that means for a GELI encrypted system when updating to TrueNAS 12 (Core)?

Many thanks in advance
 

sretalla

Wizened Sage
Joined
Jan 1, 2016
Messages
3,931
Legacy encrypted disks remain operable as today in 11.3.

I'm fairly sure you can't now create new encrypted volumes using the legacy method, but existing ones can be used and maintained.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,958
That is possible, but the migration path is manual.
 

Yorick

Dedicated Sage
Joined
Nov 4, 2018
Messages
1,781

q/pa

Member
Joined
Mar 16, 2015
Messages
48
I just read this in the TrueNAS docs:

"In future TrueNAS versions, a decrypted GELI pool will be able to migrate data to a new ZFS encrypted pool using an advanced Replication Task (NAS-107463). Until this time, GELI encrypted pools will continue to be detected and supported in the TrueNAS web interface, so you are not required to immediately migrate data away from GELI pools. Before using the command line to migrate data, it is recommended to consider the benefits and drawbacks of immediately migrating from GELI to ZFS."
https://www.truenas.com/docs/hub/initial-setup/storage/encryption/#migration-from-geli

Will this work on a live system? Everything (the old pool) is migrated to a newly created new encrypted pool? Including the system dataset?
 

sretalla

Wizened Sage
Joined
Jan 1, 2016
Messages
3,931
Encryption is per dataset, and it can only be added during dataset creation, not to existing datasets.
But can only be done in a pool already created as encrypted... you can't just enable encryption on a dataset in an unencrypted pool.
 

q/pa

Member
Joined
Mar 16, 2015
Messages
48
Yes, the new pool has to have encryption enabled. But will my old pool be gone and everything (datasets with all settings, the data itself etc ) be migrated to this new pool with native encryption?
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,958
But can only be done in a pool already created as encrypted... you can't just enable encryption on a dataset in an unencrypted pool.
Sure you can, you just won't be able to use the pool in versions of ZFS that do not support the feature flag.
 

sretalla

Wizened Sage
Joined
Jan 1, 2016
Messages
3,931
Sure you can, you just won't be able to use the pool in versions of ZFS that do not support the feature flag.
OK, I had tried this in an earlier iteration, probably before the real OpenZFS2.0 arrived in the builds and couldn't do it, but now I see it can be done... Great.
 

mgd

Member
Joined
Jan 8, 2017
Messages
46
Just to be absolutely sure:
  • Upgrading a FreeNAS 11.3 system with a GELI-encrypted pool to TrueNAS 12 Core is safe.
  • After the upgrade the pool and all its data sets will appear just as before the upgrade.
Correct?

My current GELI-encrypted pool's key resides in /data/geli and is not protected with a password (to allow the system to reboot without someone having to unlock it). /data resides on the boot pool:

Code:
freenas% df -h
Filesystem                                               Size    Used   Avail Capacity  Mounted on
freenas-boot/ROOT/11.3-U5                                100G    1.0G     99G     1%    /
...
 

Vick Khera

Junior Member
Joined
Jul 8, 2015
Messages
17
Just to be absolutely sure:
  • Upgrading a FreeNAS 11.3 system with a GELI-encrypted pool to TrueNAS 12 Core is safe.
  • After the upgrade the pool and all its data sets will appear just as before the upgrade.
Correct?

My current GELI-encrypted pool's key resides in /data/geli and is not protected with a password (to allow the system to reboot without someone having to unlock it). /data resides on the boot pool:
Did you ever get an affirmative reply? Did you try it? My pool is set up the same way. From reading other posts and this full thread, I get the sense that this is a supported upgrade.
 

mgd

Member
Joined
Jan 8, 2017
Messages
46
Did you ever get an affirmative reply? Did you try it? My pool is set up the same way. From reading other posts and this full thread, I get the sense that this is a supported upgrade.
No, I never got a reply.
I get the same sense as you – however, I would be very sad to se my pool disappear. So if I get no answer, I guess I will have to test it out in a VM.
 

Archaniel

Member
Joined
Jun 9, 2016
Messages
48
Just to be absolutely sure:
  • Upgrading a FreeNAS 11.3 system with a GELI-encrypted pool to TrueNAS 12 Core is safe.
  • After the upgrade the pool and all its data sets will appear just as before the upgrade.
Correct?

My current GELI-encrypted pool's key resides in /data/geli and is not protected with a password (to allow the system to reboot without someone having to unlock it). /data resides on the boot pool:

Code:
freenas% df -h
Filesystem                                               Size    Used   Avail Capacity  Mounted on
freenas-boot/ROOT/11.3-U5                                100G    1.0G     99G     1%    /
...
Hi,

I just gambled a bit (hehe) and it went well from 11.3 to 12 where I have full disk encryption with GELI. The pool unlocked without any problems and everything works
 
  • Like
Reactions: mgd

q/pa

Member
Joined
Mar 16, 2015
Messages
48
Being on 11.3-U5, my plan is to
  1. backup my three datasets (shares, iocage, mariadb), then
  2. remove GELI encryption (following @Patrick M. Hausen 's guide on https://www.truenas.com/community/t...om-a-zfs-volume-while-keeping-the-data.16467/), then
  3. upgrade to TrueNAS 12, then
  4. destroy my old (and only) pool and create a new one with the exact same name and encryption enabled and afterwards finally
  5. send | receive my three original datasets back to the new pool, inheriting native ZFS encryption.
I am still testing send | receive operations to and from my remote backup pool on a Void Linux (Project Trident) system, verifying that everything works as expected and nothing gets lost.
 
Last edited:

mgd

Member
Joined
Jan 8, 2017
Messages
46
Please note, this step will leave all your data unencrypted on the disks and even after creating new natively encrypted ZFS pool on the same disks, you will have unencrypted data in raw disk sectors. Please see here (also by @Patrick M. Hausen):
If you backup your existing datasets, why do you want to remove GELI-encryption before destroying the old pool?

If you simply
  1. backup you datasets
  2. destroy the pool without removing GELI encryption
  3. create a new natively encrypted pool on the disks
  4. send | receive the datasets from the backup to the new pool
then your data stays encrypted at all times and you don't leave unencrypted data in disk sectors on your disks.
 

mgd

Member
Joined
Jan 8, 2017
Messages
46
Hi,

I just gambled a bit (hehe) and it went well from 11.3 to 12 where I have full disk encryption with GELI. The pool unlocked without any problems and everything works
Thanks for testing this :)
I just upgraded and everything seems to be fine.
 

q/pa

Member
Joined
Mar 16, 2015
Messages
48
Please note, this step will leave all your data unencrypted on the disks and even after creating new natively encrypted ZFS pool on the same disks, you will have unencrypted data in raw disk sectors. Please see here (also by @Patrick M. Hausen):
If you backup your existing datasets, why do you want to remove GELI-encryption before destroying the old pool?

If you simply
  1. backup you datasets
  2. destroy the pool without removing GELI encryption
  3. create a new natively encrypted pool on the disks
  4. send | receive the datasets from the backup to the new pool
then your data stays encrypted at all times and you don't leave unencrypted data in disk sectors on your disks.
Many thanks @mgd! I was aware of that, though. And this is the one big drawback of my plan, I agree. When I first came up with this I did not know of anyone who removed GELI encryption from TrueNAS 12. At least one accomplished this by now. On the other hand it feels more robust to do one step at a time (first remove GELI, then upgrade, then (re-)create the pool (this time with native encryption).
If I followed your advice I and did not want to test removing GELI from TN12 I would destroy the encrypted pool, upgrade a blank system and them restore FreeNAS 11.3 pool data to a new TN 12 pool. Should be no problem, but then you never know...

Maybe I will feel better if I go through the work of dd'ing the drives between 3. and 4. of my original plan.
 

mgd

Member
Joined
Jan 8, 2017
Messages
46
@q/pa What I would do in your place was:
  1. Upgrade 11.3 to 12 with GELI encryption still in place (already did that and I works fine)
  2. Backup the pool
  3. Destroy the pool
  4. Create a new ZFS-encrypted pool
  5. restore to the new pool (zfs send | zfs receive)
I don't understand why you want to unencrypt the pool first. It seems like waste of time and also defeats the purpose of full-disk-encryption to allow cleartext data on the drives at any time.

EDIT:
For me, the purpose of encryption is that at no time, cleartext data is written to the drive so I can rest assured that if a drive is stolen, noone can read what's on it. Also, if the drive ever needs to be returned for repair or replacement, I know data cannot be retrieved from it. Remember, most often a drive is returned for repair/replacement because it is malfunctioning – sometimes to the state that you can no longer access it. So at that time, there might be no way to delete data from the drive apart from physically disassembling the it and demagnetising or destroying the platters. With encryption, you can just throw away the key and the contents on the drive is then just random noise.
end of EDIT

What I intend to do myself – because I need more space – is:
  1. Upgrade 11.3 to 12 with GELI encryption still in place (already done)
  2. Buy two new drives and create a new pool with ZFS encryption (mirror)
  3. Copy over data from old GELI encypted pool to new ZFS encrypted pool (zfs send | zfs recive)
  4. Destroy old pool
  5. Add the drives from the old pool to the new pool (add them as a mirror to get a stripe of mirrors)
 
Last edited:

q/pa

Member
Joined
Mar 16, 2015
Messages
48
Thanks again @mgd ! Can we be sure that there are absolutely no residues left of the old GELI encryption, if we just destroy the old pool? For this was the reason for me to first remove GELI (as I recall now). Otherwise, I will gladly follow your advise and skip the removal.
 
Top