– FreeBSD encrypted ZFS guide
First time setup
Run this in a root shell:
gpart create -s gpt ada1
gpart create -s gpt ada2
gpart add -t freebsd-zfs -l ada1-vol0 ada1
gpart add -t freebsd-zfs -l ada2-vol0 ada2
mkdir /boot/keys
dd if=/dev/random of=/boot/keys/maria.key bs=4096 count=1
geli init -l 256 -P -K /boot/keys/maria.key /dev/gpt/ada1-vol0
geli init -l 256 -P -K /boot/keys/maria.key /dev/gpt/ada2-vol0
geli attach -p -k /boot/keys/maria.key /dev/gpt/ada1-vol0
geli attach -p -k /boot/keys/maria.key /dev/gpt/ada2-vol0
geli status
zpool create tank mirror gpt/ada1-vol0.eli gpt/ada2-vol0.eli
zpool list
zpool status
Recover from drive failure
Run this in a root shell:
name="ada2"
gpart create -s gpt "$name"
gpart add -t freebsd-zfs -l "${name}-vol0" "$name"
geli init -l 256 -P -K /boot/key/maria.key "/dev/gpt/${name}-vol0"
geli attach -p -k /boot/keys/maria.key "/dev/gpt/${name}-vol0"
geli status
zpool replace tank <old drive> "$name"
zfs_crypt service
File contents of /usr/local/rc.d/zfs_crypt:
#!/bin/sh
# PROVIDE: zfs_crypt
# BEFORE: LOGIN
. /etc/rc.subr
name="zfs_crypt"
rcvar="${name}_enable"
start_cmd="${name}_start"
stop_cmd=":"
zfs_crypt_start()
{
echo "Unlocking encrypted devices"
geli attach -p -k /boot/keys/maria.key /dev/gpt/ada1-vol0
geli attach -p -k /boot/keys/maria.key /dev/gpt/ada2-vol0
echo "Importing zfs"
zpool import tank
}
load_rc_config $name
run_rc_command "$1"