[OpenIndiana-discuss] Sending our zpool offsite using encrypted USB HDDs

Günther Alka alka at hfg-gmuend.de
Thu Aug 30 16:37:53 UTC 2012


You may

- create encrypted devices from files with lofiadm with any size, even 2 
GB to backup the files on any filesystem
- create an encrypted ZFS pool from these devices (works with OI and ZFS 28)

backup such a pool: copy the files to any backup device (cloud, other 
NAS, even USB disks, sticks)
if you use a Raid-Z2 vdev, you are even protected from multiple file 
corruption on unsecure filesystems like FAT

read more
http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools

from tests, this works even with large pools and is about 20% slower 
than Solaris 11 and its encrypted pools
but much more flexible because you can backup the encrypted pool itself 
by just copying the files it is build on.
I have included this mechanism into the napp-it Web-GUI under menu pools 
(create/import encrypted pools)


On 30.08.2012 13:37, Edward Ned Harvey (openindiana) wrote:
>> From: Jan Owoc [mailto:jsowoc at gmail.com]
>>
>> My personal opinion is that a variant on the way you described it in
>> your original mail is the best:
>> zfs send your_data | your_favourite_compression |
>> your_favourite_encryption > /usb_fs/backup.gz.gpg
> I still say, don't receive into a file.  This is an obvious best practice suggestion that's written in all the manuals and all over every wiki, including the zfs best practices guide and solaris administration guide.
>
> lofiadm supports encryption.  (At least, in openindiana.)
>
> Make an unencrypted, uncompressed zpool.
> Inside there, create a huge file.
> Use lofiadm to encrypt the huge file, and make the decrypted version available as a lofi device.
> (In fact, maybe you can apply the encryption directly to the raw device, skip the huge file?  That would be nice.)
> zpool create, compression=on, using the decrypted lofi device.
>
> Now you're able to do incremental receives, into a compressed zfs filesystem, which is stored in an encrypted file (or encrypted raw device).
>
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss




More information about the OpenIndiana-discuss mailing list