zpool on a zvol inside zpool
Stefan Esser
se at freebsd.org
Mon Jul 22 10:24:24 UTC 2013
Am 22.07.2013 10:04, schrieb Eugene M. Zheganin:
> Hi.
>
> I'm moving some of my geli installation to a new machine. On an old
> machine it was running UFS. I use ZFS on a new machine, but I don't have
> an encrypted main pool (and I don't want to), so I'm kinda considering a
> way where I will make a zpool on a zvol encrypted by geli. Would it be
> completely insane (should I use UFS instead ?) or would it be still
> valid ?
I have configured a system in just that way, a few weeks ago.
It seems to work just fine.
This is a workgroup server for a small company, which is meant to
provide secure storage for documents. The system has a separate
boot/root pool and a large pool for data (both as ZFS mirrors).
On the data pool there is a ZVOL which is GELI encrypted to
provide a "disk" for the encrypted ZFS that holds the documents.
The system is running headless in some datacenter. It must boot
multi-user and start a SSHD for remote entry of the passphrase,
therefore solutions where a GELI key is on a USB key or entered
via a console during boot were not possible.
Performance is reasonable and far exceeds the 100Mbit/s Ethernet
port ordered in the data-center, so I did not bother to measure
throughput of this ZFS on GELI encrypted ZPOOL.
For low load scenarios, this seems to be the easiest configuration.
If you have hardware crypto or expect high load, then a ZFS mirror
of GELI encrypted disks may show better performance, though.
Regards, STefan
More information about the freebsd-stable
mailing list