[Discuss] ZFS for an Encrypted External Disk: My Experience and Notes

Mon Jul 25 11:34:04 EDT 2022

I recently had a disk I use for external backup lose its mind. And 
though XFS has been mostly good to me for many years, I decided it was 
time to try ZFS. The fact it will notice any data errors it encounters, 
and can check the entire disk for errors, is reassuring. And the fact it 
is designed for /really/ big disks makes me think it is a reasonable 
filesystem for dealing with a measly little 5TB USB-C disk.

Note, it is not as easy to use as the XFS disks. For them the GUI I use 
knows how to ask for the passphrase and mount, and unmount, but for ZFS 
it does not. But it seems to work. My backup procedure already requires 
I type commands, what's a few more?

I formatted a second disk (I need to ping-pong my offline backups), and 
here are my notes from the second time through, when I kinda knew what I 
was doing. I hope there aren't any errors.

Plug in new disk. Then:

   df

Works? Note the device and change the "sda"s below as appropriate. Then 
unmount the disk, delete all partitions, using fdisk, GParted, etc. Then 
(I chose the name extern_backup_pool, choose what you like):

   zpool create extern_backup_pool /dev/sda
   zpool export extern_backup_pool
   ls -alF /dev/disk/by-id

Again note which is your disk, change the ID below as appropriate. Then 
(I chose the mount point this disk will use, choose what you would like;
I also chose the name extern_backup_dataset, choose what you would like):

   zpool import -d 
/dev/disk/by-id/usb-WD_My_Passport_260D_575843324442314A5558354B-0:0-part1 
extern_backup_pool -N
   zpool status
   zfs set compression=on extern_backup_pool
   zfs set mountpoint=/zfs_mounts/extern_backup_pool extern_backup_pool
   zfs create -o encryption=on -o keylocation=prompt -o 
keyformat=passphrase extern_backup_pool/extern_backup_dataset

Enter passphrase. Then:

   zfs get mountpoint
   zpool status

Look good? Unmount:

   zfs unmount extern_backup_pool/extern_backup_dataset && zpool export 
extern_backup_pool

To mount do:

   zpool import -d /dev/disk/by-id extern_backup_pool && zfs mount -l 
extern_backup_pool/extern_backup_dataset

I made two /usr/local/sbin scripts to make that easier in the future. If 
you forget the zpool export part of the unmount and still unplug, it 
seems a reboot is necessary to clean things up…which seems a bad thing. 
I hope I am wrong and it isn't the only option.

To check whether the data all reads back correctly do a scrub (takes a 
long time, and note the scrub happens on the underlying pool not the 
dataset,
the volume does not have to be mounted to do a scrub, though the pool 
needs to be imported):

   zpool scrub extern_backup_pool

Add a -w flag above and it will block until it finishes, running zpool 
status will give you progress information.

Noticing errors along the way is a good thing, but backups are a 
write-mostly operation for changing data, so the ability to check the 
entire disk contents for failures is also appealing. I haven't decided 
how often to do this. My disk holds less than 1TB currently, and it took 
over three-hours to scrub, as it gets fuller it will take longer—plus 
the wear and tear of frequently reading everything seems a real 
concern—so I won't do it every time I do a backup. For the moment I 
think I will paste the output of the zpool status into a log file at the 
root of each disk to keep track of when I have scrubbed it.

-kb, the Kent who is impressed at how fast current USB-C disks are.