Date: Fri, 1 May 2009 11:53:05 +0200 From: Roland Smith <rsmith@xs4all.nl> To: ghostcorps <ghostcorps@gmail.com> Cc: freebsd-stable@freebsd.org Subject: Re: Can i add a new HDD to an encrypted array? Message-ID: <20090501095305.GA91771@slackbox.xs4all.nl> In-Reply-To: <4c06024b0905010112m42cbd2a5m9474aa86c003fb0@mail.gmail.com> References: <4c06024b0905010112m42cbd2a5m9474aa86c003fb0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 01, 2009 at 06:12:42PM +1000, ghostcorps wrote: > Hi Guys, >=20 > This seems liek a really basic question, I expect a simple 'no', but I > havn't found anything definative yet. >=20 > I currently have a hardware RAID5 array, using the Intel Matrix RAID > capability onboard, encrypted with GELI. According to ataraid(4), Intel MatrixRAID is software RAID, not real hardware RAID. =20 > I need to add 2 new discs to the array. If I add a disc to the array and > have it rebuilt with the Intel Matrix Storage Manager, prior to booting > FreeBSD will that destroy the encrypted data? In short, no. The long answer is that the raid array functions at a level below GELI which in turn is below the filesystem layer. GELI writes its metadata in the last sector of the device, and the ffs(7) filesystem records the size of the underlying device at creation time. Adding the two disks will make the array larger. The metadata for geli will probably not be on the last sector anymore, so geli will not recognize the enlarged device.=20 So you'll have to save your data elsewhere, put in the extra disks, recreate the array, re-initialize and attach the geli device for the new array and newfs(8) the new geli device. > If so, how can I decrypt the disk without copying the data to another > partition? There are no tools for that at this time, although it should be feasable by reading a (multiple of) block(s) from the geli device and then writing it to the non-encrypted device. Note that whenever you write a block to the unencrypted device, the contents of that block on the geli device become gibberish! So you'll have to do the whole device, unless you can beforehand make a list of all the blocks that are in use by the filesystem. And if even a single block failed in transit, you're potentially screwed. And even if you could perform this in-place decryption, you should make a full backup anyway in case the procedure goes horribly wrong, which is always a possibility. :-) If you want to decrypt the device in place because you don't have enough backup capacity to store the contents of you raid array, you're aleady in trouble even if you don't know it yet. What will you do if your RAID5 fails?=20 Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkn6xoEACgkQEnfvsMMhpyWy2ACglirhVF4dMy/GI7W96fauyfwy moEAoIZb4+fjhJ6ofUqF4ljByciHv9hh =uwiV -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090501095305.GA91771>