# GELI-encrypted ZFS pools accessible without decryption?



## YtterbiumYAG (Feb 9, 2014)

Hello everybody,

I'm quite new to FreeBSD and I have a few questions on how to set[]up ZFS with GELI correctly. I try to find out how ZFS behaves after creation of one or more pools and then mix up the SATA connectors between the HDDs. Is it still possible to recreate a pool after that? How do I know which drive to change later when a pool degrades and so on? So I played around with 4 HDDs and before I mixed up the SATA cables I found another worrying thing. I have access to my pools even without decrypting and remounting the pools. So how is that possible?

Short story long: (Everything done on a fresh FreeBSD 10 installation via SSH client as a normal user and sudo installation from the ports tree): 

I did the following:

 labeling

```
# glabel label disc1 /dev/ada1
...
# glabel label disc4 /dev/ada4
```

 encryption

```
# geli init -b -l 256 -s 4096 /dev/label/disc1
...
# geli init -b -l 256 -s 4096 /dev/label/disc4
```

 create single disks (only for the moment for some testing, later it will be a raidz1 of course)

```
# zpool create tank1 /dev/label/disc1.eli
...
# zpool create tank4 /dev/label/disc4.eli
```

 now I mounted tank1 - tank4 to /mnt/tank1 - /mnt/tank4

```
# zfs set mountpoint=/mnt/tank1 tank1
...
# zfs set mountpoint=/mnt/tank4 tank4
```

 after that I copied files with the S/N of the HDDs to each of the tanks (to check reimported discs after physical SATA port changing later)

```
# echo "SN of the drive" > /mnt/tank1/file1
...
# echo "SN of the drive" > /mnt/tank4/file4
```

 now I  exported the pools and detached the disks with geli

```
# zpool export tank1
# geli detach /dev/label/disc1
...
# zpool export tank4
# geli detach /dev/label/disc4
```

 I power_e_d the system off an on again without changing anything (SATA ports are still the same). Before decrypting an reimporting the disks I did a `ls /mnt`, expecting to see an empty folder but instead of that I can see tank1 - tank4 listed and I also can do `cat /mnt/file` and can read the serial[]numbers of the drives I put on it earlier, but I did *not* yet attached the drives with geli and did *not* yet reimported the pools with `zfs import tank1 - 4` back.

How is this possible? Why do I have access to the pools and the content without decrypting the disks and reimport the pool first? I feel a little bit uneasy now wether this could happen to the raidz1 later too. Did I make some stupid beginner mistakes? How can I solve this issue?

Thanks for help
Y-YAG


----------



## worldi (Feb 10, 2014)

Did you skip the `geli attach` part?


----------



## YtterbiumYAG (Feb 16, 2014)

Actually this was the mistake.

Thanks.
yyag


----------

