[OpenIndiana-discuss] Sending our zpool offsite using encrypted USB HDDs

[Sašo Kiselkov]

On 08/29/2012 01:27 AM, Julius Roberts wrote:
> anyone?

Hi Julius,

Seems like nobody picked up the question, so I'm going to.

> On 28 August 2012 14:42, Julius Roberts <hooliowobbits at gmail.com> wrote:
> 
>> Hi guys,
>>
>> due to a lack of high-speed networking, we're unable to replicate our ZFS
>> pool offsite, so we're relying on a zfs send to a USB disk.  We'd like that
>> encrypted.
>>
>> Currently i have an automated process which creates a zpool Offsite on a
>> big USB HDD, and then runs something like this, then exports the Offsite
>> pool.
>>
>> /sbin/zfs send -R Backups/natoffice at offsite | /usr/bin/encrypt -a aes -k
>> ~/encryption.key -o /Offsite/encrypted_zfs_send_blob

Seems like pretty much the best way to do it. I'd personally go for gpg,
but that is merely a thing of personal taste.

>> Is there a better way to be doing this?  Ours seems a
>> little resource intensive and I'm not sure if it's reliable for large >
>> 500gb datasets.

No, there probably isn't. Encryption is fairly quick process, though for
large data volumes it can take its toll on system resources. You could,
in the interests of lowering the data volume, do incremental sends and
receives - this would only transfer blocks which had changed between two
successive snapshots. Piping it though a fast compressor might also be a
good idea prior to encryption, as this might lower the data volume by
around 50% (see lz4 or lzo compression algorithms for this).

Reliability is assured, so you can sleep peacefully. Send streams are
AFAIK checksummed too, so no need to worry about your bits getting
corrupted on the way. Anyway, you can always just use something like GPG
which hashes the encrypted output by default and checks integrity on
decryption, something like this:

# zfs send fs at snapshot | gpg -c --cipher-algo AES --digest-algo SHA512 >
/media/usb/stream.gpg

Hope this helps.

Cheers,
--
Saso