Re: [Discuss] More Fun in ZFSland

Wed, 16 May 2012 14:42:00 -0700 

On 05/16/2012 04:41 PM, Richard Pieri wrote:
Richard, I read this and say to myself, this sounds more like you want to solve a problem with ZFS instead of wanting to solve a problem the best way possible. If you want to do it with ZFS because you think you can, then cool, have fun. 


If you want to solve a problem, what is the specific problem? and is 
there a solution that is less of the hoop jumping through kind? Usually 
when I start seeing the need to do the sorts of things you seem to be 
doing, I think to my self, "Someone else must be doing something 
similar, it should not be this hard to do." Sometimes I find, yes, no 
one else is doing this. Other times I get a "doh!" moment. I'm not 
judging, I'm just saying. I get worried about my data when I start to do 
"interesting" things with it.



One of the things missing from zfs-fuse is the encryption subsystem. 
ZFS encryption was introduced by Oracle after closing the Solaris 10 
source code so we don't yet have an open source reference for it.  So, 
how to get encrypted ZFS?



Every disk-based device is a block device and they all share the same 
APIs.  This is what makes nesting LVM + DRBD + dm-crypt possible.



Nested block devices!  It's an all-or-nothing solution, not as elegant 
as a native dataset encryption subsystem, but it can work.


What I did:


Started out making backups of everything courtesy of snapshots and zfs 
send.  This would be a good opportunity to test a full recovery.


Destroyed the zpool.


Used gdisk to create single partitions on each of the storage disks. 
gdisk (GPT fdisk) is an fdisk-like tool that works on GUID disks.  
It's also aware of 4k disks and automatically sets the partition 
boundaries appropriately.



Used cryptsetup/LUKS to create dm-crypt devices on the partitions.  
Then created a new raidz pool on top of those.  And it works.  There 
is some CPU overhead in the encryption layer but it is unnoticeable in 
normal operation.



Restored everything via zfs receive.  And it all works.  Which means 
my notebook backups remain encrypted on disk.  It's overkill for my 
music and video libraries but that comes with encrypting the vdev 
block devices.



Finally wrote a little script to handle opening the encrypted devices 
and importing the zpool since it can't work unattended.




_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss






















					Reply via email to