# Can I encrypt an existing zpool with geli?



## thegolum35 (Feb 6, 2013)

Hi,

I am interested in encrypting my zpool but I have no idea of the way I could do so.

Here is my GPT scheme: 
	
	



```
Antonin# gpart show
=>       34  488397101  ada0  GPT  (232G)
         34        128     1  freebsd-boot  (64k)
        162    2097152     2  freebsd-ufs  (1.0G)
    2097314    4194304     3  freebsd-swap  (2.0G)
    6291618    4194304     4  freebsd-ufs  (2.0G)
   10485922   73400320     5  freebsd-ufs  (35G)
   83886242    2097152     6  freebsd-ufs  (1.0G)
   85983394  400556032     7  freebsd-zfs  (191G)
  486539426    1857709        - free -  (907M)

Antonin# mount
/dev/ada0p2 on / (ufs, local, journaled soft-updates)
devfs on /dev (devfs, local, multilabel)
/dev/ada0p4 on /var (ufs, local, journaled soft-updates)
/dev/ada0p5 on /usr (ufs, local, journaled soft-updates)
/dev/ada0p6 on /tmp (ufs, local, journaled soft-updates)
home on /usr/home (zfs, local, nfsv4acls)
home/compressed on /usr/home/compressed (zfs, local, nfsv4acls)
```

I guess I have to init geli on /dev/ada0p7 but I get 
	
	



```
geli: Cannot store metadata on /dev/ada0p7: Operation not permitted.
```

Thank you.


----------



## SirDice (Feb 6, 2013)

It's most likely mounted. Also keep in mind that enabling geli will destroy anything that's on there. It's not an 'in-place' encryption.


----------



## Crivens (Feb 7, 2013)

SirDice is right, do not enable geli on partitons which contain data.

You could (wild idea!) do a kind-of in-place geli iff your pool would have raid functionality. That would mean to offline one disk at a time, wipe it, geli it, re-add it. After the resilver is complete, do the next one. It may work, but then, I would not do it that way if there is another way.


----------



## bbzz (Feb 7, 2013)

That's what I did with mirror vdevs + one spare.

Attach extra disk to 2-mirror vdev encrypted, resilver. Detach another one, encrypt, resilver. Take out 3rd one and add to another vdev, repeat. 

Given they were mirrors it wasn't that bad time wise.


----------



## xibo (Feb 7, 2013)

GELI adds metadata to a disk and therefore reduces the number of blocks available to the zpool AFAIK.

Therefore you would need to move the contents of the original zpool by hand (i.e. cp/cpio/rsync/...) to a newly created and slightly smaller zpool created on the geli device instead of re-adding the geli device to the original zpool, and once completed, destroy the original pool, setup geli on the remaining devices and add them to the new pool.


----------



## bbzz (Feb 7, 2013)

xibo said:
			
		

> GELI adds metadata to a disk and therefore reduces the number of blocks available to the zpool AFAIK.
> 
> Therefore you would need to move the contents of the original zpool by hand (i.e. cp/cpio/rsync/...) to a newly created and slightly smaller zpool created on the geli device instead of re-adding the geli device to the original zpool, and once completed, destroy the original pool, setup geli on the remaining devices and add them to the new pool.



ZFS can tolerate small differences in size between two disks/partitions, so above is not really needed.

I did what I said without any problems.


----------

