# How does disk resilvering work with a geli-encrypted zfs installation?



## puppyboy (Apr 17, 2021)

I saw that 13.0-RELEASE came out and so I decided to take the opportunity to move my server from CentOS back to freebsd (I was previously a longtime user of FreeBSD but I switched a while back for reasons I can't quite remember).

I decided during installation that I would like to encrypt my disks, which is not something I normally do with a server. I have 8 disks in a single raidz2 ZFS pool, using the default options with root on ZFS.

Something that seems like it may be a problem though, is what happens when I need to replace a failed disk. Do I just insert the disk and run a zfs replace like normal, and everything happens automatically? Or do additional steps need to be taken to ensure the new disk is encrypted properly like the others?

I couldn't find anything with Google but it seems like this is potentially going to be a problem for me down the road, so I thought I'd ask before it happens.


----------



## zirias@ (Apr 17, 2021)

From ZFS' perspective, this is a normal unencrypted pool, just using `.eli` devices. So, before you `zfs replace`, just run the appropriate `geli init` and `geli attach` to provide the new `.eli` device.


----------



## mtu (Apr 17, 2021)

FreeBSD 13.0 comes with OpenZFS 2.0, which has native built-in encryption. If you use that instead of geli, you won't get the same full metadata protection, but your pool will be inter-operable with Linux (which is impossible with geli), adding/replacing disks will be less of a headache, and you can send "pre-encrypted" datasets into other pools.


----------



## zirias@ (Apr 17, 2021)

mtu you forgot one drawback, FreeBSD can't boot from a zfs-encrypted root dataset  But apart from that, yes, that's more or less the tradeoffs.


----------



## _martin (Apr 17, 2021)

As an alternative solution you could partition all disks and use partitions of those disks to split it into two pools - rpool and data (encrypted).


----------



## rootbert (Apr 18, 2021)

mtu said:


> FreeBSD 13.0 comes with OpenZFS 2.0, which has native built-in encryption. If you use that instead of geli, you won't get the same full metadata protection, but your pool will be inter-operable with Linux (which is impossible with geli), adding/replacing disks will be less of a headache, and you can send "pre-encrypted" datasets into other pools.


there are some quirks still with ZFS encryption ... see my mailing list post at https://marc.info/?l=freebsd-fs&m=161450464315911&w=2 

Also note: for performance, geli is a much better solution than native encryption.


----------

