From owner-freebsd-stable@FreeBSD.ORG Fri May 1 11:02:47 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4BE6A106564A for ; Fri, 1 May 2009 11:02:47 +0000 (UTC) (envelope-from ghostcorps@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.234]) by mx1.freebsd.org (Postfix) with ESMTP id 1BA778FC14 for ; Fri, 1 May 2009 11:02:46 +0000 (UTC) (envelope-from ghostcorps@gmail.com) Received: by rv-out-0506.google.com with SMTP id k40so1909775rvb.43 for ; Fri, 01 May 2009 04:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=ive8QkiERKkvrqNSwaKNp5lrV/wdTB8ISSA1zIZ8+aE=; b=hyarHFcky1aFqZUrJ2aHJiMxTx7yw8fg5uPRavJJOTw/dSdqOb5GHRpV22gIuE2Ud2 szzxzigRZsrUJk81c5ZyCnnVO4p6ZXe6R+VAhC89QmSgwAbM1CtaOwwMRRwmGPSSfvrY E/WmVNnOAzT5vsJ+OhzBgFKmlR+SIOgxPPrXY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=RnLeGEGArBtJrJv+5M+USK/nx+VpEQ2IaWiZPn1JTsHvwlIcfX5DjxHtzQ98NLsZpc 1llEbJb/JAVVUjC9O9y/wybPCjCReVmkfVzeMHyLoXjPE5+W59GGANn8irtfYBrTD2Z7 Dckfr/zKFEQGZZ3bqPslFp/wJHawtfpNHC4+Y= MIME-Version: 1.0 Received: by 10.142.158.3 with SMTP id g3mr817334wfe.333.1241175766461; Fri, 01 May 2009 04:02:46 -0700 (PDT) In-Reply-To: <20090501095305.GA91771@slackbox.xs4all.nl> References: <4c06024b0905010112m42cbd2a5m9474aa86c003fb0@mail.gmail.com> <20090501095305.GA91771@slackbox.xs4all.nl> Date: Fri, 1 May 2009 21:02:46 +1000 Message-ID: <4c06024b0905010402r77141b0dwd783f56b55f7afb5@mail.gmail.com> From: ghostcorps To: Roland Smith Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org Subject: Re: Can i add a new HDD to an encrypted array? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ghostcorps@gmail.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2009 11:02:47 -0000 Thanks Roland, You have confirmed my worst fears. One thing though, apparently MatrixRAID is a 'Firmware RAID' system as opposed to hard or software. I don't quite know how that would effect anything but that's all I can say really. It looks like I'm buying some more disks. http://en.wikipedia.org/wiki/Intel_Matrix_RAID Regards On Fri, May 1, 2009 at 7:53 PM, Roland Smith wrote: > On Fri, May 01, 2009 at 06:12:42PM +1000, ghostcorps wrote: > > Hi Guys, > > > > This seems liek a really basic question, I expect a simple 'no', but I > > havn't found anything definative yet. > > > > I currently have a hardware RAID5 array, using the Intel Matrix RAID > > capability onboard, encrypted with GELI. > > According to ataraid(4), Intel MatrixRAID is software RAID, not real > hardware RAID. > > > I need to add 2 new discs to the array. If I add a disc to the array and > > have it rebuilt with the Intel Matrix Storage Manager, prior to booting > > FreeBSD will that destroy the encrypted data? > > In short, no. > > The long answer is that the raid array functions at a level below GELI > which in turn is below the filesystem layer. GELI writes its metadata in > the last sector of the device, and the ffs(7) filesystem records the > size of the underlying device at creation time. > > Adding the two disks will make the array larger. The metadata for geli > will probably not be on the last sector anymore, so geli will not > recognize the enlarged device. > > So you'll have to save your data elsewhere, put in the extra disks, > recreate the array, re-initialize and attach the geli device for the new > array and newfs(8) the new geli device. > > > If so, how can I decrypt the disk without copying the data to another > > partition? > > There are no tools for that at this time, although it should be feasable > by reading a (multiple of) block(s) from the geli device and then > writing it to the non-encrypted device. Note that whenever you write a > block to the unencrypted device, the contents of that block on the geli > device become gibberish! So you'll have to do the whole device, unless > you can beforehand make a list of all the blocks that are in use by the > filesystem. And if even a single block failed in transit, you're > potentially screwed. > > And even if you could perform this in-place decryption, you should make > a full backup anyway in case the procedure goes horribly wrong, which is > always a possibility. :-) > > If you want to decrypt the device in place because you don't have enough > backup capacity to store the contents of you raid array, you're aleady > in trouble even if you don't know it yet. What will you do if your RAID5 > fails? > > Roland > -- > R.F.Smith http://www.xs4all.nl/~rsmith/ > [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] > pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) >