John Baxter <> wrote:

> After searching for dm-crypt and ZFS on Linux and finding too little
> information, I shall ask here. Please keep in mind this in the context of
> running this in a production environment.
> We have the need to encypt our data, approximately 30TB on three ZFS
> volumes under Solaris 10. The volumes currently reside on iscsi sans
> connected via 10Gb/s ethernet. We have tested Solaris 11 with ZFS encrypted
> volumes and found the performance to be very poor and have an open bug
> report with Oracle.

Was the performance acceptable without encryption?

> We are a Linux shop and since performance is so poor and still no
> resolution, we are considering ZFS on Linux with dm-crypt.
> I have read once or twice that if we implemented ZFS + dm-crypt we would
> loose features, however which features are not specified.
> We currently mirror the volumes across identical iscsi sans with ZFS and we
> use hourly ZFS snapshots to update our DR site.
> Which features of ZFS are lost if we use dm-crypt? My guess would be they
> are related to raidz but unsure.

It depends on where you put the encryption layer. If you put it below ZFS,
no ZFS feature has to be lost although bugs in the encryption layer may
make the whole setup less reliable. Of course that's true for Oracle's
ZFS encryption as well.

If you put the encryption layer on top of ZFS, features like compression
and deduplication should be ineffective. It will not encrypt the ZFS
metadata, but it allows you to keep parts of the data on the pool intentionally
(or unintentionally) unencrypted. If your application doesn't work with
raw devices, you need a file system on top of the encryption layer again.

I'm not aware of anything raidz-related that is lost in either setup.

I haven't used ZFS with dm-crypt on GNU/Linux, but if I had to, I'd put
dm-crypt below ZFS and would rather split the pool than put dm-crypt on
top of ZFS.

My impression is that ext4 on dm-crypt on ZFS is a popular setup
(among bloggers), but I have no idea why and certainly wouldn't
want to use it in a production environment.

Just in case your GNU/Linux experiments don't work out, you could
also try ZFS on Geli on FreeBSD which works reasonably well.


Attachment: signature.asc
Description: PGP signature

zfs-discuss mailing list

Reply via email to