[OpenIndiana-discuss] Sending our zpool offsite using encrypted USB HDDs

Edward Ned Harvey (openindiana) openindiana at nedharvey.com
Thu Aug 30 11:37:41 UTC 2012


> From: Jan Owoc [mailto:jsowoc at gmail.com]
> 
> My personal opinion is that a variant on the way you described it in
> your original mail is the best:
> zfs send your_data | your_favourite_compression |
> your_favourite_encryption > /usb_fs/backup.gz.gpg

I still say, don't receive into a file.  This is an obvious best practice suggestion that's written in all the manuals and all over every wiki, including the zfs best practices guide and solaris administration guide. 

lofiadm supports encryption.  (At least, in openindiana.)  

Make an unencrypted, uncompressed zpool.
Inside there, create a huge file.
Use lofiadm to encrypt the huge file, and make the decrypted version available as a lofi device.
(In fact, maybe you can apply the encryption directly to the raw device, skip the huge file?  That would be nice.)
zpool create, compression=on, using the decrypted lofi device.

Now you're able to do incremental receives, into a compressed zfs filesystem, which is stored in an encrypted file (or encrypted raw device).




More information about the OpenIndiana-discuss mailing list