# ZFS with RAID-Z on top of GELI, risk for data loss?



## inr (Jan 8, 2009)

I've encrypted four harddrives with GELI and created a RAID-Z pool with the encrypted .eli-devices. In case of a power failure, is there any risk that data loss would occur?

I've read about how RAID-Z is supposedly immune to it, so I guess it boils down to if the extra GELI-layer introduces the risk for data loss.


----------



## graudeejs (Jan 8, 2009)

I think you should create raid 1st and then encrypt it
If raid Z is immune (idk, never used), geli probably is vulnerable
so putting geli on top of something immune would be better


----------



## inr (Jan 8, 2009)

I thought that wouldn't be such a good idea. Currently, if one of the harddrives breaks down, it's just a matter of replacing it (physically), encrypting the new drive and replacing the broken one in the RAID-Z array.

But if I was encrypting the entire RAID-Z instead, I'm not sure it would work as well. Replace the harddrive and add it to the RAID-Z array, resilver and then attach the whole RAID-Z array with GELI. I guess that would work. But then another ZFS layer would have to be created on top of GELI, if one wants to use ZFS. Wouldn't this be worse? It also begs the question if ZFS' features would work the same, since the pool on top wouldn't be a RAID-Z pool (data correction and what not).

Of course, I could be wrong about everything I just wrote. I was just trying to clarify my line of reasoning when setting it up.


----------



## graudeejs (Jan 8, 2009)

yes, you have good point.
well, i have no experience with raids.

btw why do you need encryption?

EDIT:

now because of you i have dilemma:
*/dev/ad4p1[red].journal.eli[/red]*
vs
*/dev/ad4p1[red].eli.journal[/red]*

before you i was thinking only about 1st [still prefer 1st]


----------



## Maledictus (Jan 8, 2009)

Hmm, guesses are nice but I would be interested in the opinion of someone who actually has read the code and understands the stuff he/she is talking about 

I just read the geli src briefly but haven't directly noticed anything that could negativly influence the consistency of ZFS on top of it.


----------



## inr (Jan 9, 2009)

killasmurf86 said:
			
		

> btw why do you need encryption?



The _need_ for it could probably be argued. In the end I guess it comes down to paranoia, well founded or not.



			
				Maledictus said:
			
		

> Hmm, guesses are nice but I would be interested in the opinion of someone who actually has read the code and understands the stuff he/she is talking about
> 
> I just read the geli src briefly but haven't directly noticed anything that could negativly influence the consistency of ZFS on top of it.



Heh, yes, guesses aren't worth anything. I was just trying to explain my reasoning, which is based on nothing. I created this thread in hope that someone knowledgeable could provide a certain answer.


----------



## exscape (Sep 29, 2009)

I'm also very interested in knowing this, as I'm considering switching my fileserver from Linux to 8.0-STABLE. (I probably would have already if it wasn't for the fact that I just happen to have _data_ on the disks I need to repartition! Lots of it, too.)
Anyhow, I too might want to use full-disk encryption together with ZFS, and since the OpenSolaris zfs-crypto project seems to progress rather slow, and GELI is available now...


----------



## hedwards (Oct 4, 2009)

I've never had any luck with GELI, I usually end up with data corruption. It could very well be something that I'm doing or not doing, but I've had a lot of trouble to the point where I won't even try anymore.

EDIT: But if you're going to be doing this, the GELI goes between the ZFS and the physical disk.


----------



## graudeejs (Oct 4, 2009)

I've been using GELI for more than year, If there are any problems with it, then that's because it's ONLY my fault...

Using GELI+ZFS for some time now.... No problem at all


----------



## cachardra (Oct 5, 2009)

Hey killasmurf86 glad it works, i am actually starting to look at freebsd because i really want to get my data on ZFS and opensolaris is just a resource HOG. I am currently using luks in linux to encrypt LVM or DM raid volumes. I want to do something similar with GELI and ZFS on top of it. Would you mind sharing the command lines you use to achieve your setup? i am new with freebsd and would really appreciate it. 

Thanks mate,


----------

