Identify device.
Attach the external storage and identify the device.
# dmesg
da0 at umass-sim0 bus 0 scbus7 target 0 lun 0
da0: <Seagate Performance 1337> Fixed Direct Access SPC-4 SCSI device
da0: Serial Number 1337XSCZ
da0: 400.000MB/s transfers
da0: 1907729MB (3907029167 512 byte sectors)
da0: quirks=0x2<NO_6_BYTE>
Create encryption key.
Create a secure encryption key component. The block size of this file is not directly related to the data key length for the encryption algorithm.
# dd if=/dev/random of=foobar.key bs=256 count=1
1+0 records in
1+0 records out
256 bytes transferred in 0.000037 secs (9560043 bytes/sec)
Initialize GELI encryption.
The sector size is set to 4.096 bytes for better alignment with SSDs. The default encryption algorithm is AES-XTS. The data key length for the encryption algorithm is 256 bit. A backup of the metadata is written to the file foobar.eli. The utility will ask for a password to be used as the component of the key.
# geli init -s 4096 -K foobar.key -e aes-xts -l 256 -B foobar.eli /dev/da0
Enter new passphrase:
Reenter new passphrase:
Metadata backup for provider /dev/da0 can be found in foobar.eli
and can be restored with the following command:
# geli restore foobar.eli /dev/da0
Attach provider.
Attach the encrypted provider and get an accessible block device.
# geli attach -k foobar.key /dev/da0
Enter passphrase:
Create ZFS pool.
Create a ZFS pool on the encrypted device. Optimize the pool for 4.096 byte sectors, which is common for SSDs, as this setting controls the alignment of ZFS data.
# zpool create -o ashift=12 foobar /dev/da0.eli
Optimize ZFS pool.
If the device will be used for backup, you might want to enable LZ4 compression and disable access time updates for increased performance.
# zfs set compression=lz4 foobar
# zfs set atime=off foobar
Create ZFS datasets.
Create ZFS datasets in the pool as needed.
# zfs create foobar/backup
Set mountpoint.
Set ZFS mountpoint.
# zfs set mountpoint=/mnt/foobar foobar
Export ZFS pool.
When the USB SSD is no longer to be used, then it can be prepared for disconnection by exporting the ZFS pool.
# zpool export -f foobar
Detach provider.
# geli detach /dev/da0.eli
The external USB SSD can now by physically disconnected from the USB port and storead in a safe place.
Attach provider.
When the USB SSD is to be used again, it is connected via USB and the GELI provider is attached by supplying the encryption key component and the password component.
# geli attach -k foobar.key /dev/da0
Enter passphrase:
Import ZFS pool.
The ZFS pool can not be imported.
# zpool import foobar
The external USB SSD is now mounted and is ready to be used.