- This article will show you how to remove GELI encryption from a ZFS pool while keeping the data. This does not require the GELI Key file but the pool must be unlocked prior (using the passphrase if you had created one. It is not necessary if you have not created a passphrase). When this encryption is removed, it will be possible to import back into FreeNAS as a pool without encryption. The pool will also be visible in the Houston UI if you are switching to Ubuntu or Rocky Linux and wish to import it there.
This process can take very long if you have a large amount of data in your pool due to the resilvering process. It may not be a practical solution for everyone.
- FreeNAS (GELI is no longer used with TrueNAS, Ubuntu, Rocky Linux, etc.)
- A pool that has been created with GELI encryption (you cannot add encryption after creation)
- This pool must be unlocked if a passphrase was created.
- Terminal access either through FreeNAS UI or ssh client.
It is recommended to have a backup of your data in the event that something goes wrong during a resilver.
Get gptid’s for each drive
- Run zpool status in a terminal and copy the ID of the drives in the pool. Write these down or copy them to a text file.
Steps for each drive in the pool
Only do one drive at a time as it requires resilvering each one and we do not want to lose data.
Offline a drive using the gptid
- We will use the zpool and geli commands in the terminal .
zpool offline POOL_NAME gptid/12345xxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.eli geli detach gptid/12345xxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.eli
- When that is complete, run zpool status to see the new ID of the drive.
Replace drive with itself
- We will use the ID found above to specify which drive we are replacing. We will replace it with the same gptid as it originally was but we will remove the “.eli” at the end. Use zpool status to check the progress. Pools with lots of data will take longer to complete.
zpool replace POOL_NAME new-id-number original-gptid-without-eli
- When that completes, we will see the drive back in the pool but now it does not have the .eli extension.
- Repeat these steps until no drives in the pool have the .eli extension at the end of their gptid.
Export the Pool
- Back in the UI, export the pool.
- At this point the pool should no longer have the GELI encryption. You can import it back into FreeNAS or another OS.
- Here I will import it back to FreeNAS as a pool without any encryption.
- The pool is should be back online with its data intact.
- The pool should now be visible in other OS’s that do not recognize GELI encryption. Here it is in Houston on Rocky Linux.