Encrypted ZFS for off-site backups

As I recently discussed, I use zfs replication for my off-site backups, manually moving volumes from my home to a second location on a semi-regular schedule.

Of course, I would rather that if one of these drives were stolen or lost that the thief not have a copy of all my data. Therefore, I use geli to encrypt the entire zpool.

I chose to set up geli using only a passphrase; you can also use keyfiles, but since one purpose of these off-site disks is to recover from catastrophic data loss, by choosing not to use a keyfile I don't have to worry about how to preserve the keyfile offsite safely.

Setting up the encrypted pool the first time is easy (the file geli-password contains the password):

# geli init -s 4096 -J geli-password  /dev/ada4p1
# geli attach -j geli-password /dev/ada4p1
# zpool create bpool /dev/ada4p1.eli

And attaching the next time is similar:

# geli attach -j geli-password /dev/ada4p1
# zpool import -d /dev bpool

On my system (no AES acceleration), zfs receive peaks at about 100MB/s which is quite adequate for replication duties. (this is with -o compression=gzip which probably also impacts the top speed)

Update: More recently, I've worked on some portable software to decrypt data from AES-128-XTS geli volumes, in case I ever need to read one of these backups and all I have is Linux (with ZOL or zfs-fuse, presumably).

Entry first conceived on 25 November 2013, 2:31 UTC, last modified on 30 November 2013, 2:36 UTC
Website Copyright © 2004-2021 Jeff Epler