[dm-crypt] Encrypt underlying disks after the fact?

Arno Wagner arno at wagner.name
Tue Apr 2 02:39:29 CEST 2013

On Mon, Apr 01, 2013 at 04:25:28PM -0700, Omen Wild wrote:
> I have a mirrored ZFS on Linux pool and I am now regretting not having
> encrypted the underlying disks. Can I do this after the fact, i.e.:
>  - break the mirror: zpool detach tank /dev/sdb
>  - wipe disk
>  - cryptsetup luksFormat /dev/sdb
>  - rebuild the mirror: zpool attach tank /dev/sda /dev/mapper/c1

With enought space, this should work. However if you encrypt the
underlying disks, you will have to unlock each one individually
or script something before mounting. Integrating RAID into the 
filesystem like ZFS does really is not that good an idea and this 
is one eaxmple why: It breaks the layering and the filesystem has to
suddenly do everything, including encryption. Not good as it violates
KISS. Sadly, the BTRFS developers are making the same mistake...
> When I created the pool I gave ZFS the entire disks so it formatted them
> GPT:
> ----- Begin quote -----
> Partition Table: gpt
> Number  Start           End             Size            File system  Name  Flags
>  1      1048576B        2000390528511B  2000389479936B  zfs          zfs
>  9      2000390528512B  2000398917119B  8388608B
> ----- End quote -----
> The main question is whether the LUKS disk would have at least as many
> blocks as #1. Looking at the numbers is looks like there is 1MB
> available at the beginning, and 8MB at the end, and the LUKS header is
> 1MB+4096B or 2 MB, so it looks like it will fit on the raw device. The
> other route would be to use a detached header. Any recommendations
> between the two methods?

Detached header would mean you have one more device to worry about.
I would recommend avoiding it in this scenario. Your device is
only 2TB, are you sure you want ZFS on top of that? Also, AFAIK,
ZFS is Beta-quality on Linux and incomplete.

> Assuming this could work I suppose the safest way to do this would be to
> buy a 3rd disk, encrypt it, add it to the pool, then rotate the original
> 2 out one at a time.

You could also do something else if it does not fit or if you
want to change thesize anyways:

1. Make a degraded md RAID1 on a new disk.
2. Put a LUKS container on it
3. Put ZFS (single drive) on top of that
4. Copy all data over
5. Remove one disk from the SFS tool and add it to the md RAID1.
This gives you proper layering again and you have to do only one 
unlock on mounting.

> Oh, and backups, backups, and more backups.


> Thanks
> -- 
> The world is coming to an end, SAVE YOUR BUFFERS!!!

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell

More information about the dm-crypt mailing list