Upgrading encrypted mirror - Validate my plan

[bluonek]

After reading the docs and a few community posts I have a semi-clear idea of how to upgrade my encrypted mirror volume. Looking for validation before I take action.

Scenario:

• FreeNAS 11.1-U7
• One open drive port
• Drives (Currently): One vdev with two 4TB drives in mirror encrypted w/ GELI (4TB drives to be removed/discarded after upgrade)
• Drives (After Upgrade): One vdev with two 10TB drives in mirror encrypted w/ GELI

Planned Steps (known questions in bold):

1. Shut down FreeNAS
2. Install 1st 10TB drive into open drive port (keep the two 4TB drives in place)
3. Boot FreeNAS
4. Unlock volume (the two 4TB drives in mirror)
5. "Replace" 1st 4TB drive with 1st 10TB drive
   • Storage --> Volumes --> View Volumes --> Volume Status --> Replace button
   • Choose 1st 10TB drive
   • Enter encryption passphrase because "WARNING: The recovery key of your volume will be invalidated!"
     • Is it OK to use a new passphrase here? Or is this asking for the current passphrase for security purposes?
   • Notice I didn't "Offline" the drive - Is this needed when the drive being replaced is *not degraded? I'd rather not offline the drive in order to maintain redundancy during resilver - Does encryption complicate this desire for redundancy during resilver?
6. Wait for resilver to complete
7. Follow steps from user guide against the pool
   • Encryption Re-key
   • Create Passphrase (using new passphrase)
   • Download Key
   • Add Recovery Key
8. Shut down FreeNAS
9. Remove 1st 4TB drive and replace with 2nd 10TB drive
10. Boot FreeNAS
11. Unlock volume using new passphrase
12. Repeat steps 5-7 to replace 2nd 4TB drive with 2nd 10TB drive
    • Use same new passphrase from first pass of step 7
    • Save new key and recovery key since the ones from the first pass will no longer be valid
13. Shut down FreeNAS
14. Remove 2nd 4TB drive
15. Boot FreeNAS
16. Unlock volume with new passphrase
17. Anything else? Something to do with SMART settings? Not sure.

Thanks for the time and validation

-blu1k

 

[Chris Moore]

4TB drives to be removed/discarded after upgrade

You can send them to me.

Enter encryption passphrase because "WARNING: The recovery key of your volume will be invalidated!"
Is it OK to use a new passphrase here? Or is this asking for the current passphrase for security purposes?

I think this is asking for the existing passphrase.

Notice I didn't "Offline" the drive - Is this needed when the drive being replaced is *not degraded? I'd rather not offline the drive in order to maintain redundancy during resilver - Does encryption complicate this desire for redundancy during resilver?

You can keep the existing drive online during the replace. It is actually a good idea to retain redundancy. Encryption complicates everything.

At step 8, instead of just shutting down, I would suggest a restart here so you can verify that it is going to come back up and you can still access your data before you shutdown for step 9.

Anything else? Something to do with SMART settings? Not sure.

Yes. These new drives will need to be added into the smart test because they will not be automatically added.
It sounds like you have it figured out.