Migrating data to encrypted disks


Recommended Posts

I have an empty 5gb drive unencrypted and am looking to move it to encrypted.   I've got "clear-me" directory ready and was about to run the clear script but it seems unnecessary.   I think I'm correct that shrink array procedure (including clearing) THEN add disk back with format xfs-encrypted maintains parity but as a format updates parity the clear seems like an unnecessary step.  As the formatting of the disk will update parity the clear script hardly seems necessary.  Is the only way to maintain parity to clear => shrink => add or is there a way to avoid the clear?

 

Thanks,

 

--dimes

Link to comment
35 minutes ago, johnnie.black said:

No need to clear, just format with an encrypted filesystem.

Semantically accurate and correct...

 

However... If you had data on that drive at one point, it will still be partially readable by forensic disk recovery software, even after it's formatted as encrypted.

 

So... if your end goal of encryption is to thwart forensic recovery, you need to either

a. Fill the drive with encrypted data, so any blank spots that had data in them previously will be overwritten

or

b. Write all zeroes (clear) or random data to the drive to ensure all previous data is no longer intact

 

In either case, as long as you are working with the array drive using /mnt/diskX, parity is maintained and does not need to be rebuilt.

 

Unraid parity doesn't have an concept of files, format, or anything like that. It purely works at the whole disk level, regardless of content.

 

1 hour ago, dimes007 said:

Is the only way to maintain parity to clear => shrink => add or is there a way to avoid the clear?

 

The way to maintain parity is not to remove the disk. As long as the disk is a member of the parity protected array, parity is maintained. Formatting or encryption has nothing to do with it. Shrinking requires either clearing the disk before removal or rebuilding parity. Don't remove the disk, just change the format type.

Link to comment

I reformatted encrypted and things seem fine.

 

Not worried about forensic recovery.  The 5tb was a parity disk.   I'll be moving data from a SED disk currently in the array to this disk.  I haven't seen much here about performance impact (either CPU or disk speed) with encryption turned on.  Not that I need blazing speed but SED has no tangible performance hit while using an encrypted array drive. 

 

The only remaining curiosity is that I don't have an encryption icon in settings??

 

Thank you both for the quick and accurate guidance.

 

31 minutes ago, jonathanm said:

Semantically accurate and correct...

 

However... If you had data on that drive at one point, it will still be partially readable by forensic disk recovery software, even after it's formatted as encrypted.

 

So... if your end goal of encryption is to thwart forensic recovery, you need to either

a. Fill the drive with encrypted data, so any blank spots that had data in them previously will be overwritten

or

b. Write all zeroes (clear) or random data to the drive to ensure all previous data is no longer intact

 

In either case, as long as you are working with the array drive using /mnt/diskX, parity is maintained and does not need to be rebuilt.

 

Unraid parity doesn't have an concept of files, format, or anything like that. It purely works at the whole disk level, regardless of content.

 

The way to maintain parity is not to remove the disk. As long as the disk is a member of the parity protected array, parity is maintained. Formatting or encryption has nothing to do with it. Shrinking requires either clearing the disk before removal or rebuilding parity. Don't remove the disk, just change the format type.

 

--dimes

 

 

Link to comment

Yes.  "Disk Encrypted and Unlocked".  Things seem fine.  Moving data to it now.

 

I thought I was going to get a new icon in the settings tab?  Maybe that was only when it was in 6.4 beta?  Maybe it only shows up if you use a keyfile?

 

3 minutes ago, jonathanm said:

On the main GUI page is there an unlocked padlock by that disk?

 

--dimes

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.