# Encrypt a large zpool?



## rainer_d (Apr 14, 2014)

Hi.

is it advisable (and practical) to encrypt (via geli?) a large (6T) zfs pool consisting of twelve disks in two RAIDz2s?
The pool should still be fully manageable, e.g. it should be possible to add disks (in RAIDz2-chunks of course) to it.

All the tutorials I saw deal with semi-static setups like boot-disks etc.


Thanks in advance


----------



## _martin (Apr 14, 2014)

I use partially encrypted pool since Jan 2013 and have not yet found any issue related to encryption itself. I've 12TB raidz2 pool, there I've 5TB zvol which is a provider for geli (that is used in pool again). Recently I hit the issue with the zvol blocksize:  Thread 45814

But that was a problem on my end from the beginning. I do have the HW encryption support on board/CPU.


----------



## rainer_d (Apr 14, 2014)

Hi,

so, I understand it's doable?
I have to create the encrypted pool on-top of the un-encrypted pool, like a TrueCrypt Image?

How does the hardware encryption support look like in practice?
Do you use a 3rd-party card?


----------



## _martin (Apr 14, 2014)

Doable and usable too. If you want to encrypt the whole pool, you can create the geli provider first on the whole disk and put that (geli provider) as a vdev to zpool. If 4K disks are used extra attention should payed to keep the proper alignment.

I use Intel's S1200BT board. Look at it in ARK: http://ark.intel.com/products/53558/ - scroll down the Data Protection table (AES) at the end. 
Same goes with CPU: http://ark.intel.com/products/65730/Intel-Xeon-Processor-E3-1240-v2-8M-Cache-3_40-GHz

So no, I don't use any 3rd party card for HW encryption support. Once you create the geli provider, it will also indicate itself in dmesg: 


```
GEOM_ELI: Device zvol/geli/crypto.eli created.
GEOM_ELI: Encryption: AES-CBC 128
GEOM_ELI:     Crypto: hardware
```
If you don't have HW support (or the proper kernel module was not loaded/included in the kernel), software will take over.

If you have a temptation to go with 256 AES, look at this article first: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html .


----------

