[OpenIndiana-discuss] Sending our zpool offsite using encrypted USB HDDs

Edward Ned Harvey (openindiana) openindiana at nedharvey.com
Wed Aug 29 11:37:06 UTC 2012


> From: Julius Roberts [mailto:hooliowobbits at gmail.com]
> 
> /sbin/zfs send -R Backups/natoffice at offsite | /usr/bin/encrypt -a aes -k
> ~/encryption.key -o /Offsite/encrypted_zfs_send_blob
> 
> Is there a better way to be doing this?  Ours seems a
> little resource intensive and I'm not sure if it's reliable for large >
> 500gb datasets.

Yeah, this is definitely not a good idea, because you're receiving a file on the destination hard disk, instead of doing a zfs receive.  In order to get good reliability, you need to pipe directly into zfs receive.

I'm not sure when encryption was added to zfs, but you might have to get solaris 11 from oracle.

Is encryption available in illumos/openindiana?

There might be some other tricks you can play, like, use some 3rd party encryption tool to encrypt a file that occupies the whole disk, and then mount the decrypted file as a zfs device, so the actual zfs receiving filesystem lives inside a file that will be dismounted and encrypted at rest.




More information about the OpenIndiana-discuss mailing list