zpool upgrade w/ GELI encryption, but no ZFS native encryption available

q/pa · Dec 15, 2021

I am on TrueNAS Core 12.0-U7 with GELI encryption. I just upgraded my only data zpool to be able to do some testing with native ZFS encryption. Right after the upgrade + reboot I wanted to create a new dataset and see whether any "Encryption Options" (like in the screenshot below) were available. And they were... for a few seconds! Then the page refreshed and now the option is not shown anymore.

Is it intentional that GELI-encrypted systems cannot create ZFS-encrypted datasets (and pools)? Do I have to remove GELI-encryption first and then the regular create dataset options will all be available?

Samuel Tai · Dec 15, 2021

q/pa said:
Is it intentional that GELI-encrypted systems cannot create ZFS-encrypted datasets (and pools)? Do I have to remove GELI-encryption first and then the regular create dataset options will all be available?

Yes, and yes.

q/pa · Dec 15, 2021

Thanks for the quick reply, @Samuel Tai ! Much appreciated!

Samuel Tai · Dec 15, 2021

How to remove encryption from a ZFS volume (while keeping the data)

Hi, all, my first post - I have a little procedure to share. I successfully removed the geli encryption from a live ZFS pool in FreeNAS 9.1.1 with the following steps: 0. Make sure you either have a separate backup of your data, or are willing to take the risk of losing everything. Second...

www.truenas.com

Samuel Tai · Dec 15, 2021

Also search for @winnielinnie's threads on native ZFS encryption, and what he's learned from running them.

Confused by native ZFS encryption, some observations, many questions

I have been playing around with TrueNAS Core 12.0 in a virtual machine, specifically to get a "hands on" feel for native ZFS encryption. Prior to this, I held the following assumptions where GELI and native ZFS encryption differ: GELI encrypts partitions / block devices, which are then used...

www.truenas.com

q/pa · Dec 15, 2021

Thanks man, already reading up on this.

I roughly plan to remove GELI encryption, rename my datasets, create new ZFS-encrypted datasets and send | receive everything into the new datasets.

q/pa · Dec 19, 2021

First step accomplished: removed GELI encryption of my only storage pool (TrueNAS Core 12.0-U7).

The great guide in https://www.truenas.com/community/t...om-a-zfs-volume-while-keeping-the-data.16467/ works for 12.0-U7 with the following exceptions:

1.
[root@freenas-pmh] ~# zpool replace zfs 5939868321408276145 gptid/b5ae2aed-8ec4-11e2-a224-28924a2bff32
[root@freenas-pmh] ~# zpool status
...

The output does not look exactly like:
...
replacing-3 OFFLINE 0 0 0
5939868321408276145 OFFLINE 0 0 0 was /dev/gptid/b5ae2aed-8ec4-11e2-a224-28924a2bff32.eli
gptid/b5ae2aed-8ec4-11e2-a224-28924a2bff32 ONLINE 0 0 0 (resilvering)

At least since 12.0-U7, the GUID is missing. But you can either get it through the GUI: Dashboard > Pool > Data > Disks > DEGRADED disk or on the CLI via the command sudo zdb -l /dev/gptid/b5ae2aed-8ec4-11e2-a224-28924a2bff32.eli

2. Detach pool is now Export/disconnect pool (plus I had do import the pool manually after reboot).

Important Announcement for the TrueNAS Community.

zpool upgrade w/ GELI encryption, but no ZFS native encryption available

q/pa

Explorer

Samuel Tai

Never underestimate your own stupidity

q/pa

Explorer

Samuel Tai

Never underestimate your own stupidity

How to remove encryption from a ZFS volume (while keeping the data)

Samuel Tai

Never underestimate your own stupidity

Confused by native ZFS encryption, some observations, many questions

q/pa

Explorer

q/pa

Explorer

Similar threads