[Discuss] More Fun in ZFSland

[Richard Pieri]

One of the things missing from zfs-fuse is the encryption subsystem. 
ZFS encryption was introduced by Oracle after closing the Solaris 10 
source code so we don't yet have an open source reference for it.  So, 
how to get encrypted ZFS?

Every disk-based device is a block device and they all share the same 
APIs.  This is what makes nesting LVM + DRBD + dm-crypt possible.

Nested block devices!  It's an all-or-nothing solution, not as elegant 
as a native dataset encryption subsystem, but it can work.

What I did:

Started out making backups of everything courtesy of snapshots and zfs 
send.  This would be a good opportunity to test a full recovery.

Destroyed the zpool.

Used gdisk to create single partitions on each of the storage disks. 
gdisk (GPT fdisk) is an fdisk-like tool that works on GUID disks.  It's 
also aware of 4k disks and automatically sets the partition boundaries 
appropriately.

Used cryptsetup/LUKS to create dm-crypt devices on the partitions.  Then 
created a new raidz pool on top of those.  And it works.  There is some 
CPU overhead in the encryption layer but it is unnoticeable in normal 
operation.

Restored everything via zfs receive.  And it all works.  Which means my 
notebook backups remain encrypted on disk.  It's overkill for my music 
and video libraries but that comes with encrypting the vdev block devices.

Finally wrote a little script to handle opening the encrypted devices 
and importing the zpool since it can't work unattended.

-- 
Rich P.