How to add encrypted ZFS pool on FreeBSD server

last updated in Categories ,

I recently added hard disk to my FreeBSD based server. How do I configure an encrypted ZFS pool to store data on this disk? How can I add encrypted ZFS pool on FreeBSD 11.x server?

Introduction: ZFS is a file system for FreeBSD operating system. It is file system and logical volume manager originally designed by Sun Microsystems. A VDEV is nothing but a collection of a physical disk (such as /dev/vtbd2) file image, or ZFS software raid device, hot spare for ZFS raid. A zpool is nothing but a storage made of VDEVS (a collect of VDEVS). You can combine two or more physical disks or files or combination of both. This page shows how to create an encrypted ZFS pool on FreeBSD server when added a second hard disk to the server.

How to list existing hard disks drives on FreeBSD

Type any one of the following command:
# camcontrol devlist
OR
# geom disk list
List all connected hard disk devices in FreeBSD

List current partitions

Run the following command:
# gpart show

List your existing zpool

Execute the following commands:
# zfs list
# zpool list
# zpool status

zpool list status freebsd command
It is clear that /dev/vtbd0 and /dev/vtbd1 are used by zroot as mirror device. Thus /dev/vtbd2 left as unused device.

How to add encrypted ZFS pool on FreeBSD

Type the following gpart command to create a new partitioning scheme on a vtbd2. The -s gpt option determines the scheme to use:
# gpart create -s gpt vtbd2
vtbd2 created

Next add a new partition to the partitioning scheme given by geom:
# gpart add -t freebsd-zfs -l disk2-vol0 vtbd2
vtbd2p1 added

Where,

  • -t freebsd-zfs : Set type of the partition to freebsd-zfs i.e. a FreeBSD partition that contains a ZFS volume.
  • -l disk2-vol0 : Set partition label name to disk2-vol0 i.e. /dev/gpt/disk2-vol0
  • vtbd2 : Device name

How to enable encryption with geli on FreeBSD for zfs

I am going to store critical data. So encrypting is essential for me. It is easy to setup with the aesni driver, geli and ZFS. geli is nothing but a block device-layer disk encryption system written for FreeBSD that uses the GEOM disk framework. The aesni driver used for the AES accelerator on Intel CPUs to speed up disk encryption. First add the following line to /boot/loader.conf:
# echo 'aesni_load="YES"' >> /boot/loader.conf
Load the FreeBSD aesni driver using the kldload command:
# kldload aesni
I am going to set up encryption for /dev/gpt/disk2-vol0, run:
# geli init -l 256 /dev/gpt/disk2-vol0
Add encrypted ZFS pool on FreeBSD server using geli command
You need to use the above passphrase to attach the encrypted device at boot time or after rebooting the FreeBSD bare metal or cloud server. Where options for the geli command are as follows:

  • init : The geli utility is used to configure encryption on GEOM providers. Initialize the provider named /dev/gpt/disk2-vol0 which needs to be encrypted.
  • -l 256 : The default and recommended algorithm is AES-XTS and set data key length to 256 to use with the given cryptographic algorithm.
  • /dev/gpt/disk2-vol0 : Device name

Finally attach the given provider i.e./dev/gpt/disk2-vol0. The encrypted Master Key will be loaded from the metadata and decrypted using the given passphrase and a new GEOM provider will be created using the given provider’s name with an “.eli” suffix i.e. /dev/gpt/disk2-vol0.eli.
# geli attach /dev/gpt/disk2-vol0
# ls -l /dev/gpt/disk2-vol0*

Configure an Encrypted ZFS pool with geli on FreeBSD

View status of GEOM devices

# geli status
Sample outputs:

              Name  Status  Components
       vtbd0p3.eli  ACTIVE  vtbd0p3
       vtbd1p3.eli  ACTIVE  vtbd1p3
   mirror/swap.eli  ACTIVE  mirror/swap
gpt/disk2-vol0.eli  ACTIVE  gpt/disk2-vol0

I am going to use /dev/gpt/disk2-vol0.eli to create the zfs pool.

Create the zfs pool

Finally you need to set up the ZFS pool using zpool command:
# zpool create backup /dev/gpt/disk2-vol0.eli
Verify it:
# zpool list
# zpool status
# zfs list backup

zpool list status command

How to mount device after system reboot

You need to type the following command:
# geli attach /dev/gpt/disk2-vol0
# zfs mount -a
# zfs get mounted backup
# zpool list
# zpool status
## use it again ##
# cd /backup
# ls -l

How to add two disks and configure an encrypted ZFS pool mirror block storage on FreeBSD

Let us say you have /dev/vtbd2 and /dev/vtbd3:
# gpart create -s gpt vtbd2
# gpart create -s gpt vtbd3
# gpart add -t freebsd-zfs -l disk2-vol0 vtbd2
# gpart add -t freebsd-zfs -l disk3-vol0 vtbd3
# geli init -l 256 /dev/gpt/disk2-vol0
# geli init -l 256 /dev/gpt/disk3-vol0
# geli attach /dev/gpt/disk2-vol0
# geli attach /dev/gpt/disk3-vol0
# geli status
# zpool create backupdisk mirror gpt/disk2-vol0.eli gpt/disk3-vol0.eli
# zpool list
# zpool status

Writing a shell script to mount zpool after rebooting the FreeBSD box left as an exercise to readers.

Conclusion

You just learned how to use block storage/additional disks to create encrypted file system zfs for your setup. For more info see gpart, geli, zpool man pages and ZFS book.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.