Encrypted zfs?

Hugo Silva hugo at barafranca.com
Tue Aug 28 04:34:49 PDT 2007 

Pawel Jakub Dawidek wrote:
> On Mon, Aug 27, 2007 at 12:48:18PM +0000, Christian Walther wrote:
>   
>> Hello list,
>>
>> I'm currently using a zraid consisting of three drives. Lately I wonder 
>> what the best way would be to encrypt it.
>> I read the chapter dealing with disk encryption in the handbook, and 
>> decided to use GELI. Is there anyone here on the list who has some 
>> experiences with ZFS on encrypted GELI devices? Are there some 
>> performance specs around?
>>
>> And what is even more important: What is the best of moving the zraid to 
>> encrypted devices?
>> I can't remove one of the disks because they are in use. So I figure one 
>> way would be to buy another disk, set up encryption and add it to the 
>> pool. I could then remove one disk after the other, encrypt it, remove 
>> the (now broken one) from the zpool, and add the newly encrypted device.
>> Since buying disks costs money I wonder how save it would be to follow 
>> this procedure without adding a new disk. From my point of view I'll 
>> loose redundancy as soon as I remove one of the three disks. But is 
>> there another problem or something dangerous I don't see her?
>>     
>
> slayer:root:~# zpool list
> NAME                    SIZE    USED   AVAIL    CAP  HEALTH     ALTROOT
> private                 334G   64,6G    269G    19%  ONLINE     -
> tank                   1,45T    607G    881G    40%  ONLINE     -
>
> slayer:root:~# zpool status
>   pool: private
>  state: ONLINE
>  scrub: none requested
> config:
>
>         NAME           STATE     READ WRITE CKSUM
>         private        ONLINE       0     0     0
>           raidz1       ONLINE       0     0     0
>             ad1s2.eli  ONLINE       0     0     0
>             ad6.eli    ONLINE       0     0     0
>             ad7s2.eli  ONLINE       0     0     0
>
> errors: No known data errors
>
>   pool: tank
>  state: ONLINE
>  scrub: none requested
> config:
>
>         NAME         STATE     READ WRITE CKSUM
>         tank         ONLINE       0     0     0
>           raidz1     ONLINE       0     0     0
>             ad3.eli  ONLINE       0     0     0
>             ad4.eli  ONLINE       0     0     0
>             ad5.eli  ONLINE       0     0     0
>             ad8.eli  ONLINE       0     0     0
>             ad9.eli  ONLINE       0     0     0
>
> errors: No known data errors
>
>   

How's the performance on the geli-backed pool ?

I've done this experiment myself, but with ggate and over the world, so 
couldn't measure any kind of useful data (when it comes to performance).

Best regards,

Hugo

More information about the freebsd-current mailing list