[Discuss] More Fun in ZFSland

Mark Woodward markw at mohawksoft.com
Wed May 16 17:41:49 EDT 2012 

On 05/16/2012 04:41 PM, Richard Pieri wrote:

Richard, I read this and say to myself, this sounds more like you want 
to solve a problem with ZFS instead of wanting to solve a problem the 
best way possible. If you want to do it with ZFS because you think you 
can, then cool, have fun.

If you want to solve a problem, what is the specific problem? and is 
there a solution that is less of the hoop jumping through kind? Usually 
when I start seeing the need to do the sorts of things you seem to be 
doing, I think to my self, "Someone else must be doing something 
similar, it should not be this hard to do." Sometimes I find, yes, no 
one else is doing this. Other times I get a "doh!" moment. I'm not 
judging, I'm just saying. I get worried about my data when I start to do 
"interesting" things with it.

> One of the things missing from zfs-fuse is the encryption subsystem. 
> ZFS encryption was introduced by Oracle after closing the Solaris 10 
> source code so we don't yet have an open source reference for it.  So, 
> how to get encrypted ZFS?
>
> Every disk-based device is a block device and they all share the same 
> APIs.  This is what makes nesting LVM + DRBD + dm-crypt possible.
>
> Nested block devices!  It's an all-or-nothing solution, not as elegant 
> as a native dataset encryption subsystem, but it can work.
>
> What I did:
>
> Started out making backups of everything courtesy of snapshots and zfs 
> send.  This would be a good opportunity to test a full recovery.
>
> Destroyed the zpool.
>
> Used gdisk to create single partitions on each of the storage disks. 
> gdisk (GPT fdisk) is an fdisk-like tool that works on GUID disks.  
> It's also aware of 4k disks and automatically sets the partition 
> boundaries appropriately.
>
> Used cryptsetup/LUKS to create dm-crypt devices on the partitions.  
> Then created a new raidz pool on top of those.  And it works.  There 
> is some CPU overhead in the encryption layer but it is unnoticeable in 
> normal operation.
>
> Restored everything via zfs receive.  And it all works.  Which means 
> my notebook backups remain encrypted on disk.  It's overkill for my 
> music and video libraries but that comes with encrypting the vdev 
> block devices.
>
> Finally wrote a little script to handle opening the encrypted devices 
> and importing the zpool since it can't work unattended.
>

More information about the Discuss mailing list