 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
One of the things missing from zfs-fuse is the encryption subsystem. ZFS encryption was introduced by Oracle after closing the Solaris 10 source code so we don't yet have an open source reference for it. So, how to get encrypted ZFS? Every disk-based device is a block device and they all share the same APIs. This is what makes nesting LVM + DRBD + dm-crypt possible. Nested block devices! It's an all-or-nothing solution, not as elegant as a native dataset encryption subsystem, but it can work. What I did: Started out making backups of everything courtesy of snapshots and zfs send. This would be a good opportunity to test a full recovery. Destroyed the zpool. Used gdisk to create single partitions on each of the storage disks. gdisk (GPT fdisk) is an fdisk-like tool that works on GUID disks. It's also aware of 4k disks and automatically sets the partition boundaries appropriately. Used cryptsetup/LUKS to create dm-crypt devices on the partitions. Then created a new raidz pool on top of those. And it works. There is some CPU overhead in the encryption layer but it is unnoticeable in normal operation. Restored everything via zfs receive. And it all works. Which means my notebook backups remain encrypted on disk. It's overkill for my music and video libraries but that comes with encrypting the vdev block devices. Finally wrote a little script to handle opening the encrypted devices and importing the zpool since it can't work unattended. -- Rich P.
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
