Re: Encrypted zfs?

From: Hugo Silva <hugo_at_barafranca.com> Date: Tue, 28 Aug 2007 12:34:11 +0100 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:16 UTC

Pawel Jakub Dawidek wrote:
> On Mon, Aug 27, 2007 at 12:48:18PM +0000, Christian Walther wrote:
>   
>> Hello list,
>>
>> I'm currently using a zraid consisting of three drives. Lately I wonder 
>> what the best way would be to encrypt it.
>> I read the chapter dealing with disk encryption in the handbook, and 
>> decided to use GELI. Is there anyone here on the list who has some 
>> experiences with ZFS on encrypted GELI devices? Are there some 
>> performance specs around?
>>
>> And what is even more important: What is the best of moving the zraid to 
>> encrypted devices?
>> I can't remove one of the disks because they are in use. So I figure one 
>> way would be to buy another disk, set up encryption and add it to the 
>> pool. I could then remove one disk after the other, encrypt it, remove 
>> the (now broken one) from the zpool, and add the newly encrypted device.
>> Since buying disks costs money I wonder how save it would be to follow 
>> this procedure without adding a new disk. From my point of view I'll 
>> loose redundancy as soon as I remove one of the three disks. But is 
>> there another problem or something dangerous I don't see her?
>>     
>
> slayer:root:~# zpool list
> NAME                    SIZE    USED   AVAIL    CAP  HEALTH     ALTROOT
> private                 334G   64,6G    269G    19%  ONLINE     -
> tank                   1,45T    607G    881G    40%  ONLINE     -
>
> slayer:root:~# zpool status
>   pool: private
>  state: ONLINE
>  scrub: none requested
> config:
>
>         NAME           STATE     READ WRITE CKSUM
>         private        ONLINE       0     0     0
>           raidz1       ONLINE       0     0     0
>             ad1s2.eli  ONLINE       0     0     0
>             ad6.eli    ONLINE       0     0     0
>             ad7s2.eli  ONLINE       0     0     0
>
> errors: No known data errors
>
>   pool: tank
>  state: ONLINE
>  scrub: none requested
> config:
>
>         NAME         STATE     READ WRITE CKSUM
>         tank         ONLINE       0     0     0
>           raidz1     ONLINE       0     0     0
>             ad3.eli  ONLINE       0     0     0
>             ad4.eli  ONLINE       0     0     0
>             ad5.eli  ONLINE       0     0     0
>             ad8.eli  ONLINE       0     0     0
>             ad9.eli  ONLINE       0     0     0
>
> errors: No known data errors
>
>   

How's the performance on the geli-backed pool ?

I've done this experiment myself, but with ggate and over the world, so 
couldn't measure any kind of useful data (when it comes to performance).

Best regards,

Hugo