# 10.0-BETA3, adding a second encrypted mirror, am I doing this correctly?



## Mikael (Nov 11, 2013)

Hi,

First of all, the new bsdinstall(8) is great! Setting up a new system with ZFS and geli(8) is so simple.

So I'm trying this out in VirtualBox, the plan is to build a fully encrypted workstation with two ZFS mirrors (2xSSD and 2xHDD). I'm learning ZFS  and GELI as I go.

*During installation, creating the zroot encrypted mirror:*


```
â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€ZFS Configurationâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”
â”‚ Configure Options:                                 â”‚
â”‚ â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â” â”‚
â”‚ â”‚ >>> Install          Proceed with Installation â”‚ â”‚
â”‚ â”‚ - Rescan Devices     *                         â”‚ â”‚
â”‚ â”‚ - Disk Info          *                         â”‚ â”‚
â”‚ â”‚ 1 Pool Name          zroot                     â”‚ â”‚
â”‚ â”‚ 2 Disks To Use       ada0 ada1                 â”‚ â”‚
â”‚ â”‚ 3 ZFS VDev Type      mirror                    â”‚ â”‚
â”‚ â”‚ 4 Force 4K Sectors?  YES                       â”‚ â”‚
â”‚ â”‚ 5 Encrypt Disks?     YES                       â”‚ â”‚
â”‚ â”‚ 6 Partition Scheme   GPT                       â”‚ â”‚
â”‚ â”‚ 7 Swap Size          2g                        â”‚ â”‚
â”‚ â””â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜ â”‚
â”œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”¤
â”‚             <Select>       <Cancel>                â”‚
â””â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜
```

*Post install, adding the second encrypted mirror:*

Make sure /boot is mounted and view the contents of /boot/loader.conf:
`# zpool import bootpool`
`# cat /boot/loader.conf`

```
geli_ada0p3_keyfile0_load="YES"
geli_ada0p3_keyfile0_type="ada0p3:geli_keyfile0"
geli_ada0p3_keyfile0_name="/boot/encryption.key"
geli_ada1p3_keyfile0_load="YES"
geli_ada1p3_keyfile0_type="ada1p3:geli_keyfile0"
geli_ada1p3_keyfile0_name="/boot/encryption.key"
aesni_load="YES"
geom_eli_load="YES"
vfs.root.mountfrom="zfs:zroot/bootenv/default"
zfs_load="YES"
zpool_cache_load="YES"
zpool_cache_type="/boot/zfs/zpool.cache"
zpool_cache_name="/boot/zfs/zpool.cache"
```

Show partitions and devices:
`# gpart show`

```
=>      34  20971453  ada0  GPT  (10G)
        34      1024     1  freebsd-boot  (512K)
      1058       990        - free -  (495K)
      2048   4194304     2  freebsd-zfs  (2.0G)
   4196352  12582912     3  freebsd-zfs  (6.0G)
  16779264   4190208     4  freebsd-swap  (2.0G)
  20969472      2015        - free -  (1.0M)

=>      34  20971453  ada1  GPT  (10G)
        34      1024     1  freebsd-boot  (512K)
      1058       990        - free -  (495K)
      2048   4194304     2  freebsd-zfs  (2.0G)
   4196352  12582912     3  freebsd-zfs  (6.0G)
  16779264   4190208     4  freebsd-swap  (2.0G)
  20969472      2015        - free -  (1.0M)
```

`# camcontrol devlist`

```
<VBOX CD-ROM 1.0>                  at scbus1 target 0 lun 0 (cd0,pass0)
<VBOX HARDDISK 1.0>                at scbus2 target 0 lun 0 (ada0,pass1)
<VBOX HARDDISK 1.0>                at scbus3 target 0 lun 0 (ada1,pass2)
<VBOX HARDDISK 1.0>                at scbus4 target 0 lun 0 (ada2,pass3)
<VBOX HARDDISK 1.0>                at scbus5 target 0 lun 0 (ada3,pass4)
```

Create a new GPT partitioning scheme on ada2 and ada3: 
`# gpart create -s gpt ada2`
`# gpart create -s gpt ada3`

Create a new single ZFS partition on each device (will take up all the available space on each drive):
`# gpart add -t freebsd-zfs ada2`
`# gpart add -t freebsd-zfs ada3`

Initialize two new GELI providers, reusing the key file created during installation:
`# geli init -B /boot/ada2p1.eli -e AES-XTS -K /boot/encryption.key -l 256 -s 4096 /dev/ada2p1`

```
Enter new passphrase:
Reenter new passphrase:

Metadata backup can be found in /boot/ada2p1.eli and
can be restored with the following command:

    # geli restore /boot/ada2p1.eli /dev/ada2p1
```

`# geli init -B /boot/ada3p1.eli -e AES-XTS -K /boot/encryption.key -l 256 -s 4096 /dev/ada3p1`

```
Enter new passphrase:
Reenter new passphrase:

Metadata backup can be found in /boot/ada3p1.eli and
can be restored with the following command:

    # geli restore /boot/ada3p1.eli /dev/ada3p1
```

Attach the providers, enter the passphrase for each:
`# geli attach -k /boot/encryption.key /dev/ada2p1`
`# geli attach -k /boot/encryption.key /dev/ada3p1`

Create the new zpool mirror named "tank1":
`# zpool create tank1 mirror /dev/ada2p1.eli /dev/ada3p1.eli`

Add the following new lines /boot/loader.conf:

```
geli_ada2p1_keyfile0_load="YES"
geli_ada2p1_keyfile0_type="ada2p1:geli_keyfile0"
geli_ada2p1_keyfile0_name="/boot/encryption.key"
geli_ada3p1_keyfile0_load="YES"
geli_ada3p1_keyfile0_type="ada3p1:geli_keyfile0"
geli_ada3p1_keyfile0_name="/boot/encryption.key"
```

Export bootpool (unmounting /boot):
`# zpool export bootpool`

And finally, reboot to see if everything is working:
`# reboot`

During boot FreeBSD asks for the passphrase four times, as it should, and the new zpool "tank1" is mounted. So everything seems to be working.

Like I said in the beginning, I'm new to both ZFS and GELI. Am I doing this correctly? Is it a mistake to reuse the existing key file?

Thanks,
Mikael


----------

