 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On 05/16/2012 04:41 PM, Richard Pieri wrote: Richard, I read this and say to myself, this sounds more like you want to solve a problem with ZFS instead of wanting to solve a problem the best way possible. If you want to do it with ZFS because you think you can, then cool, have fun. If you want to solve a problem, what is the specific problem? and is there a solution that is less of the hoop jumping through kind? Usually when I start seeing the need to do the sorts of things you seem to be doing, I think to my self, "Someone else must be doing something similar, it should not be this hard to do." Sometimes I find, yes, no one else is doing this. Other times I get a "doh!" moment. I'm not judging, I'm just saying. I get worried about my data when I start to do "interesting" things with it. > One of the things missing from zfs-fuse is the encryption subsystem. > ZFS encryption was introduced by Oracle after closing the Solaris 10 > source code so we don't yet have an open source reference for it. So, > how to get encrypted ZFS? > > Every disk-based device is a block device and they all share the same > APIs. This is what makes nesting LVM + DRBD + dm-crypt possible. > > Nested block devices! It's an all-or-nothing solution, not as elegant > as a native dataset encryption subsystem, but it can work. > > What I did: > > Started out making backups of everything courtesy of snapshots and zfs > send. This would be a good opportunity to test a full recovery. > > Destroyed the zpool. > > Used gdisk to create single partitions on each of the storage disks. > gdisk (GPT fdisk) is an fdisk-like tool that works on GUID disks. > It's also aware of 4k disks and automatically sets the partition > boundaries appropriately. > > Used cryptsetup/LUKS to create dm-crypt devices on the partitions. > Then created a new raidz pool on top of those. And it works. There > is some CPU overhead in the encryption layer but it is unnoticeable in > normal operation. > > Restored everything via zfs receive. And it all works. Which means > my notebook backups remain encrypted on disk. It's overkill for my > music and video libraries but that comes with encrypting the vdev > block devices. > > Finally wrote a little script to handle opening the encrypted devices > and importing the zpool since it can't work unattended. >
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
