Of course, I would rather that if one of these drives were stolen or lost that the thief not have a copy of all my data. Therefore, I use geli to encrypt the entire zpool.
I chose to set up geli using only a passphrase; you can also use keyfiles, but since one purpose of these off-site disks is to recover from catastrophic data loss, by choosing not to use a keyfile I don't have to worry about how to preserve the keyfile offsite safely.
Setting up the encrypted pool the first time is easy (the file geli-password contains the password):
# geli init -s 4096 -J geli-password /dev/ada4p1 # geli attach -j geli-password /dev/ada4p1 # zpool create bpool /dev/ada4p1.eli
And attaching the next time is similar:
# geli attach -j geli-password /dev/ada4p1 # zpool import -d /dev bpool
On my system (no AES acceleration), zfs receive peaks at about 100MB/s which is quite adequate for replication duties. (this is with -o compression=gzip which probably also impacts the top speed)
Update: More recently, I've worked on some portable software to decrypt data from AES-128-XTS geli volumes, in case I
ever need to read one of these backups and all I have is Linux (with ZOL or
zfs-fuse, presumably).
Entry first conceived on 25 November 2013, 2:31 UTC, last modified on 30 November 2013, 2:36 UTC
Website Copyright © 2004-2024 Jeff Epler