Re: [OpenIndiana-discuss] Sending our zpool offsite using encrypted USB HDDs

Thu, 30 Aug 2012 09:38:58 -0700 

You may
- create encrypted devices from files with lofiadm with any size, even 2 GB to backup the files on any filesystem 
- create an encrypted ZFS pool from these devices (works with OI and ZFS 28)
backup such a pool: copy the files to any backup device (cloud, other NAS, even USB disks, sticks) if you use a Raid-Z2 vdev, you are even protected from multiple file corruption on unsecure filesystems like FAT 

read more
http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools
from tests, this works even with large pools and is about 20% slower than Solaris 11 and its encrypted pools but much more flexible because you can backup the encrypted pool itself by just copying the files it is build on. I have included this mechanism into the napp-it Web-GUI under menu pools (create/import encrypted pools) 


On 30.08.2012 13:37, Edward Ned Harvey (openindiana) wrote:

From: Jan Owoc [mailto:jso...@gmail.com]

My personal opinion is that a variant on the way you described it in
your original mail is the best:
zfs send your_data | your_favourite_compression |
your_favourite_encryption > /usb_fs/backup.gz.gpg

I still say, don't receive into a file.  This is an obvious best practice 
suggestion that's written in all the manuals and all over every wiki, including 
the zfs best practices guide and solaris administration guide.

lofiadm supports encryption.  (At least, in openindiana.)

Make an unencrypted, uncompressed zpool.
Inside there, create a huge file.
Use lofiadm to encrypt the huge file, and make the decrypted version available 
as a lofi device.
(In fact, maybe you can apply the encryption directly to the raw device, skip 
the huge file?  That would be nice.)
zpool create, compression=on, using the decrypted lofi device.

Now you're able to do incremental receives, into a compressed zfs filesystem, 
which is stored in an encrypted file (or encrypted raw device).


_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss



_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Reply via email to