Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 May 2009 21:02:46 +1000
From:      ghostcorps <ghostcorps@gmail.com>
To:        Roland Smith <rsmith@xs4all.nl>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Can i add a new HDD to an encrypted array?
Message-ID:  <4c06024b0905010402r77141b0dwd783f56b55f7afb5@mail.gmail.com>
In-Reply-To: <20090501095305.GA91771@slackbox.xs4all.nl>
References:  <4c06024b0905010112m42cbd2a5m9474aa86c003fb0@mail.gmail.com> <20090501095305.GA91771@slackbox.xs4all.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Roland,

 You have confirmed my worst fears. One thing though, apparently MatrixRAID
is a 'Firmware RAID' system as opposed to hard or software. I don't quite
know how that would effect anything but that's all I can say really. It
looks like I'm buying some more disks.

http://en.wikipedia.org/wiki/Intel_Matrix_RAID

Regards



On Fri, May 1, 2009 at 7:53 PM, Roland Smith <rsmith@xs4all.nl> wrote:

> On Fri, May 01, 2009 at 06:12:42PM +1000, ghostcorps wrote:
> > Hi Guys,
> >
> >  This seems liek a really basic question, I expect a simple 'no', but I
> > havn't found anything definative yet.
> >
> >  I currently have a hardware RAID5 array, using the Intel Matrix RAID
> > capability onboard, encrypted with GELI.
>
> According to ataraid(4), Intel MatrixRAID is software RAID, not real
> hardware RAID.
>
> > I need to add 2 new discs to the array. If I add a disc to the array and
> > have it rebuilt with the Intel Matrix Storage Manager, prior to booting
> > FreeBSD will that destroy the encrypted data?
>
> In short, no.
>
> The long answer is that the raid array functions at a level below GELI
> which in turn is below the filesystem layer. GELI writes its metadata in
> the last sector of the device, and the ffs(7) filesystem records the
> size of the underlying device at creation time.
>
> Adding the two disks will make the array larger. The metadata for geli
> will probably not be on the last sector anymore, so geli will not
> recognize the enlarged device.
>
> So you'll have to save your data elsewhere, put in the extra disks,
> recreate the array, re-initialize and attach the geli device for the new
> array and newfs(8) the new geli device.
>
> >  If so, how can I decrypt the disk without copying the data to another
> > partition?
>
> There are no tools for that at this time, although it should be feasable
> by reading a (multiple of) block(s) from the geli device and then
> writing it to the non-encrypted device. Note that whenever you write a
> block to the unencrypted device, the contents of that block on the geli
> device become gibberish! So you'll have to do the whole device, unless
> you can beforehand make a list of all the blocks that are in use by the
> filesystem. And if even a single block failed in transit, you're
> potentially screwed.
>
> And even if you could perform this in-place decryption, you should make
> a full backup anyway in case the procedure goes horribly wrong, which is
> always a possibility. :-)
>
> If you want to decrypt the device in place because you don't have enough
> backup capacity to store the contents of you raid array, you're aleady
> in trouble even if you don't know it yet. What will you do if your RAID5
> fails?
>
> Roland
> --
> R.F.Smith                                   http://www.xs4all.nl/~rsmith/<http://www.xs4all.nl/%7Ersmith/>;
> [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
> pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4c06024b0905010402r77141b0dwd783f56b55f7afb5>