To add an encrypted ZFS pool on a FreeBSD server, you will need to have the geli (GEom ELI) kernel module loaded and the geli utility installed. Here are the general steps to add an encrypted ZFS pool:
- Load the geli kernel module:
kldload geom_eli
- Create a new GPT partition on the desired disk. This can be done using the
gpartcommand. For example:
gpart create -s gpt /dev/ada0
- Create a new geli provider on the partition:
geli init -b -s 4096 /dev/ada0p1
This will create a 4KB sector-size encrypted partition.
- Attach the geli provider:
geli attach /dev/ada0p1
- Create the ZFS pool on the geli provider:
zpool create -o ashift=12 -O compression=lz4 -O encryption=aes-256-gcm -O keylocation=file:///root/ada0p1.key -O keyformat=passphrase tank /dev/ada0p1.eli
This command creates a ZFS pool named “tank”, using the geli provider /dev/ada0p1.eli, with the specified options for ashift, compression, encryption, keylocation, and keyformat.
- Set the permissions on the key file
chmod 600 /root/ada0p1.key
- Create file systems and datasets as required.
zfs create tank/mydata
- Finally, you can now mount the new ZFS file system.
zfs mount tank/mydata
Note: This is a general guide for adding an encrypted ZFS pool. The exact commands and options used may vary depending on your specific setup and requirements.