Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Question about encrypting and replacing drives

Featured Replies

Hi all,

I have a server that I want to encrypt. I understand the method for this is empty largest drive, encrypt drive, copy data to, and round robin until all desired drives are encrypted.

I also have 11x 4TB drives that I want to remove and replace with 4x 14TB drives. (The server also has some 8TB and 14TB drives in it already).

My question is, for checking my sanity here, could I:

1) slap enough drives in a test server to accommodate the amount of data on the main server
2) encrypt the drives

3) copy all the data to the test server

4) backup flash from main server

4) remove all the drives (including parity) from the main server
5) move all the drives from test server to main

6) new config and build parity

My thinking is with the backup of the flash and all the drives removed, I'd have near zero risk of data loss.. and it seems like it would be more convenient than cycling through the drives one at a time. I'd have to purchase roughly 5 more drives to handle this which I'm still on the fence with because $$.

But if this is sound thinking, could I partially do this by:

1) copying the data from the 11x 4TB drives to the test server

2) remove those drives and parity and replace with 14TB drives

3) new config and build parity

4) round robin the remaining data

I already have enough drives for this scenario.

Thanks for your time!

Solved by bmartino1

  • Community Expert
  • Solution

Yes, your strategy is sound. You can use a test server to pre-encrypt drives and move them over. You can do this in full or in parts depending on how many drives you can afford to buy now. Just be very careful with the "New Config" step and assigning drives correctly afterward.

Encrypting the Array

You’re correct: Unraid requires encrypting a disk individually, then copying data onto it, round-robin style. There's no in-place encryption.

-Be sure to copy the encryption key for the array!!!

Full Migration Option (Test Server to Main):

Steps:

  1. Set up test server with enough storage.

  2. Encrypt all test server drives with your chosen format (xfs-encrypted or btrfs-encrypted).

  3. Copy all data from main server to test server.

  4. Backup the USB flash from the main server (important: use "flash backup" in the web UI or copy config/ folder).

  5. Remove all old drives from the main server, including parity.

  6. Move all test server drives to main server.

  7. Boot up, choose Tools → New Config, assign drives manually.

  8. Ensure nothing is formatted. Confirm all drives are recognized and contain correct encrypted filesystems.

  9. Assign new parity, rebuild parity.

This will work, provided:

  • You don't format any drives accidentally.

  • You confirm encryption keys/credentials are correctly entered when the system boots.

  • You double-check disk assignments before starting parity build.

Partial Migration Option (Budget-Friendly):

Yes, this is a safer and more incremental option:

  1. Copy only the data from the 11×4TB drives to encrypted drives in a test server.

  2. Remove the 4TB drives and parity from the main server.

  3. Replace them with new 14TB encrypted drives.

  4. Use New Config, assign data + parity drives manually.

  5. Build parity.

  6. Round-robin encrypt the remaining drives (8TB/14TB) later, one by one.

This approach:

  • Lets you reuse 4TB drives for other tasks (or sell them).

  • Minimizes upfront cost.

  • Reduces risk by not touching existing encrypted drives.

Important Considerations

  • File System: Use xfs-encrypted unless you have a reason to prefer btrfs-encrypted. xfs is generally simpler and more stable for single-drive volumes.

  • Encryption Key: Store your encryption passphrase or keyfile securely (ideally outside Unraid).

  • New Config:

    • Use only when you're 100% confident about drive contents.

    • Always check "Parity is already valid" only if you know it is — in your case, it won’t be, since drives were moved/formatted.

  • UUID Conflicts: If reusing disks, always wipe old partition tables (wipefs, blkdiscard, etc.), or Unraid might get confused.

Unraid scripts exisit for encryption array and grab key files...

some things to review:

Data Encryption | Unraid Docs
No image preview

Data Encryption | Unraid Docs

Unraid supports the use of encrypted drives in both the cache and the array. It does this using the Linux LUKS (Linux Unified Key System) encryption modules.

Medium
No image preview

Automating Unraid Array Decryption

As an Unraid user, manually entering encryption passwords at every boot can become tedious and inconvenient, especially for your family.

A the the forum post on unraid encyptions:

I'm aware of the new encyption key and script but not sure of its setp and instalation...

Several scripts and methods exist for managing encryption in Unraid systems. One notable script is unraid-newenckey, which allows users to change the unlock key of their encrypted drives. This script ensures that the new key is backed up safely, as losing the new key can result in data loss.

https://github.com/doron1/unraid-newenckey

Gist
No image preview

UnRaid New Encryption Key

GitHub Gist: instantly share code, notes, and snippets.

  • Author

@bmartino1 Thank you for the response.

But more importantly, thank you for taking the time to do such thorough reply. This is probably the most informative forum reply I've come across. I appreciate it.

When you say "-Be sure to copy the encryption key for the array!!!", you mean if I'm using a keyfile? On my other server I just enter the passphrase manually on boot. Or did you mean make sure I copy my passphrase somewhere safe?

Thanks!

  • Community Expert

Especial when moving between disk usually a key file is stored and crated in the root folder.

Sometimes other unraid client usrs use a script to grab that key file for encryption.

Since the unraid root file system is in ram, the temp file that holds the unlock pass key will be removed and no on the USB nor the system as such be sure to get that key file!

Unless your not using unraid disk array autostart. And keeping the same password passkey when mounting/starting the array. More info is in the scripts for encryption. and more of a side note.

once the password is set and the array is unlocked you may see a file located here:

cat /root/keyfile
  • Author

Yeah, I tend not to use autostart and enter my passkeys manually. 99.99% of the time I'm gonna be around when an array has to be restarted. I also have a generator, so I'm never hit by power outage shutdowns.

So assuming I just set a passphrase for the new encrypted drives, there's nothing I need to copy over, yeah? Just make sure I have that passphrase stored securely somewhere and backed up?

Thanks again.

  • Author

Actually, this just occurred to me: How do I accommodate files that might get added to the original array while this is all happening?

Is the safest bet here to disable Mover until the process is complete? Assuming my cache pool can handle the incoming volume necessary while I do this big copy.

  • Community Expert

Correct docker off, vm off, mover off. share settings to a single primary only disk . Nothing running while files are moving between disks.

take pictures for later with snip / screen capture for latter if needed.

Edited by bmartino1
data - typo

  • Author

Again, appreciated. I'm hoping last question: Is there a best practice for migrating data from one server to another? Preferably with some sort of verification? Should I be using rsync? Should I replicate shares on the test server and mount them via Unassigned Devices doing a share to share dump over SMB?

I had originally intended to just direct connect the 2 servers via 10GbE. However, I could pull disks in batches from the main server and mount them in the test server and copy over SATA. I don't have a chassis big enough to hold all the disks at once.

  • Community Expert

Quite a few plugin and tools.

The main one I would recommend to have installed when moving between disk is:
image.png

ah, there are a few plugins that can help with this actual. If both are running unraid ICH777 made a unraid duplicator pluging. (Depending on data / file on disk)
image.png

image.png

*More Docker and unraid system backup restore.


Yes, there is a web rsync plugin. but that depends on how long you are willing to wait to verify, hash and guarantee file copy over a standard file copy.
image.png


If using zfs / zfs pools with encryption.
One could use zfs send to transfer disk data.
image.png

I personly use mc at the local machine (Boot unriad in GUI mode) coenct local host. so the tranfer betweeen disk happen at and on the local machine.


there some interactions as well such as using sftp via ssh and filezilla(another common way that I interact with unraid to move large data between systems.)

can, should, will are hard to answer. are there soultions yes, should debateable. I can go over some rsync comands if you want.

I've found rsync to really be good once a copy paste is done to run to confirm changes and copy differences.

using a 10GB nic and tranfers between two sytems is a good start.

If it helps I alos have a sftp/fail2ban docker that can be used in conjuntcion with the rclone (rsync web application)
image.png

comes down to how you want to interact with it and what you want it to do.

I use sftp thoruhg the internet with unfi site magic and sftp/filezila/rsync to a ring network of friends to keep a offsite backup of files between each other

  • Community Expert

*Unraid uses LUKS full-disk encryption (via Linux Unified Key System). Here's how to set it up:

  1. Stop the array.

  2. On the Main tab, select a disk.

  3. Change its file system to an encrypted type.

  4. Click Apply, then Done.

  5. Format the newly encrypted (unmountable) disk when prompted.

  6. To use it, supply the passphrase or keyfile at array startup.

Review:

https://docs.unraid.net/unraid-os/manual/security/data-encryption/

Syncing Encrypted Disks Disk‑to‑Disk with rsync

You have two scenarios: (A / B)

A:

Local rsync (within one Unraid box)

Perfect for syncing from one encrypted disk to another (e.g., backups to an unassigned encrypted disk).

Example:

example rsync comand at local machien disk to disk

rsync --archive --delete \

/mnt/disk2/SourceFolder/ \

/mnt/disks/EncryptedBackup/

  1. --archive: preserves permissions, symlinks, etc.

  2. --delete: cleans up files not present in source.

-*Mutt has a good script on the forum for this:

https://forums.unraid.net/topic/97958-rsync-incremental-backup/

Script: https://codeberg.org/mgutt/rsync-incremental-backup/src/branch/main/incbackup.sh

https://forums.unraid.net/topic/190797-simplest-setup-for-auto-downloading-from-sftp-to-unraid/#findComment-1558756

--Or even syncing into an array disk:

rsync --archive --delete /mnt/user/SourceFolder/ /mnt/disk4/BackupFolder/

https://japanatron.com/blog/other/it/10402-unraid-backing-up-using-rsync

B:

Remote rsync Over SSH or SFTP (disk-to-disk backup across systems)

i) Set Up SSH Key Access

On the target machine (backup receiver):

ssh-keygen -t rsa -b 2048 -f /root/.ssh/backup-rsync-key

Copy the public key to the source machine (authorized_keys), ensuring proper permissions:

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

ii) Use rsync via SSH

Run from target to pull from source:

rsync local to remote via sftp

rsync -avu --numeric-ids --progress \

-e "ssh -i /root/.ssh/backup-rsync-key -T -o Compression=no -x" \

root@source:/mnt/diskX/EncryptedSource/ \

/mnt/disks/EncryptedBackup/

  1. -u: skip files newer on receiver

  2. --numeric-ids: maintain user/group IDs

  3. -T: disable pseudo-tty

  4. -o Compression=no: let rsync handle compression

  5. -x: stay on one file system

iii) Automate with --remove-source-files

To move files (delete after successful copy):

rsync -avz --remove-source-files \

-e "ssh -i /root/.ssh/backup-rsync-key" \

root@source:/mnt/encrypted1/ /mnt/encrypted2/

You can then optionally clean up any empty directories:

ssh -i /root/.ssh/backup-rsync-key root@source \

"find /mnt/encrypted1/ -type f -delete"

Other examples of a sample Automation Script (Local or Remote)

Adapt this for local disks or remote SSH pulls:

-Set paths in script...

Example: Rsync Script – Local & Remote Ready

#!/bin/bash

# ========================

# USER CONFIGURATION

# ========================

# Set to 1 if using remote SSH; set to 0 for local rsync

USE_SSH=1

# Source and destination paths

SRC="/mnt/encrypted_source/"

DST="/mnt/disks/encrypted_backup/"

# Remote SSH settings (used only if USE_SSH=1)

SSH_USER="root"

SSH_HOST="192.168.1.100"

SSH_KEY="/root/.ssh/backup-rsync-key"

# Optional: Delete source files after sync (1 = yes, 0 = no)

REMOVE_SOURCE=1

# ========================

# RSYNC LOGIC

# ========================

# Build rsync command

if [ "$USE_SSH" -eq 1 ]; then

echo "Running rsync over SSH..."

RSYNC_CMD="rsync -avz --numeric-ids --progress"

[ "$REMOVE_SOURCE" -eq 1 ] && RSYNC_CMD="$RSYNC_CMD --remove-source-files"

$RSYNC_CMD -e "ssh -i $SSH_KEY -o Compression=no" \

"$SSH_USER@$SSH_HOST:$SRC" "$DST"

if [ "$REMOVE_SOURCE" -eq 1 ]; then

echo "Cleaning up remote source files..."

ssh -i "$SSH_KEY" "$SSH_USER@$SSH_HOST" \

"find \"$SRC\" -type f -delete"

fi

else

echo "Running local rsync..."

RSYNC_CMD="rsync -avz --numeric-ids --progress"

[ "$REMOVE_SOURCE" -eq 1 ] && RSYNC_CMD="$RSYNC_CMD --remove-source-files"

$RSYNC_CMD "$SRC" "$DST"

if [ "$REMOVE_SOURCE" -eq 1 ]; then

echo "Cleaning up local source files..."

find "$SRC" -type f -delete

fi

fi

echo "Rsync operation completed."

*Edit the SRC, DST, USE_SSH, and SSH settings as needed.

Run manually or schedule via Unraid's User Scripts plugin.

Edited by bmartino1
data - typo

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.