Import Encrypted Logical Units

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
T

TechTrend

Member
Apr 16, 2016
47
14
8
65
Florida
I moved a ZFS pool to another server. Pool imported with no errors using

# zpool import pool0

pool0 contains both encrypted and unencrypted logical units. Encryption keys were restored to /local/keydata on the new server (plus a copy on another location). Unencrypted LU's were imported successfully using

# stmfadm import-lu /pool0/lu01

The encrypted ZFS filesystem (efs1) appears on the zfs list

# zfs list
NAME USED AVAIL REFER MOUNTPOINT
pool0 43.1T 6.16T 23.9T /pool0
pool0/efs1 19.1T 6.16T 19.1T /pool0/efs1
...

but the encrypted LUs are not visible on the filesystem (before import-lu)

# ls -al /pool0/efs1
total 18
drwxr-xr-x+ 2 root root 2 Jan 9 2023 .
drwxr-xr-x+ 4 root root 11 Jan 23 2023 ..

Should I use the same command as on unencrypted LU's

# stmfadm import-lu /pool0/efs1/elu01

or are there other options required? My concern is to avoid damage to the encrypted LU's by not specifying corresponding options.

Thanks.
 
T

TechTrend

Member
Apr 16, 2016
47
14
8
65
Florida
In the example /pool0/efs1 is the mount point for the encrypted filesystem. Possibly the mount is missing? That would explain why logical units are not listed in ‘ls’. Looked at ZFS docs, but couldn’t find mount options for encrypted objects.
 
G

gea

Well-Known Member
Dec 31, 2010
3,163
1,195
113
DE
Only datasets of type filesystem can be mounted and shown via ls. Logical units are a reference to a zvol dataset type (datasets=filesystem, snap, zvol)

Zvols are datasets that are treated as blockdevice like a raw disk. You cannot mount directly. To use a zvol you need to create/import a logical unit based on the zvol (or file or raw disc) then create a target with a view to the logical unit (if the zvol that is base of the lu is unlocked). You can then connect the logical unit as a LUN on a system that provides an initiator ex Windows like a local disk.

If you created the LUN in napp-it menu ZFS filesystem, you can simply reenable the Lun after the pool move as nappit treats them like a filesystem property similar to smb sharing. Encryption of a zvol is normally inherited from the parent ZFS filesystem.

.
 
T

TechTrend

Member
Apr 16, 2016
47
14
8
65
Florida
Thanks for your response.

Encrypted logical units were created with napp-it as file-based LU’s under encrypted ZFS filesystem /pool0/efs1. Tried ‘stmfadm import-lu’ after the import, but this error comes up:

# stmfadm import-lu /pool0/efs1/elu01
stmfadm: meta file error

Pool disk usage is approximately the sum of unencrypted + encrypted LU’s. That implies the encrypted data is still there. Maybe some of the metadata is not consistent?
 
Last edited:
T

TechTrend

Member
Apr 16, 2016
47
14
8
65
Florida
Problem solved using napp-it! Unlocked the encrypted filesystem by clicking "locked" on the ZFS filesystem list and choosing L1:L1 keysource to unlock. Then went to Comstar, Import LU and it made the logical unit available again. Added a view and rescanned storage on hosts using that LUN. All encrypted data is accessible again. Thanks for your assistance and for making such a great tool available!
 
Last edited:
G

gea

Well-Known Member
Dec 31, 2010
3,163
1,195
113
DE
If an encrypted filesystem is unlocked it behaves exact like an unencrypted filesystem.
If it is locked it is still a ZFS filesystem from structure but with data and metadata encrypted.

btw
Even with a splitted filebased key like L1:L1 or webbased keys you can use prompt (enter key manually) to unlock.
 
You must log in or register to reply here.
Top Bottom