Best backup practices for ZFS with whole disk encryption on a laptop?

(This is my first post and a somewhat long post. I know what I want my computer to do, but don't know exactly how to make it happen, though I have some rough ideas. I figured getting a plan together before I start installing and making decisions would be best.)

I'm a newbie to FreeBSD (in fact, I haven't installed it yet), but have some experience with Linux (primarily Red Hat Enterprise Linux clones). I would like to switch my computer to FreeBSD sometime next month. My computer is a Lenovo ThinkPad T420i (4177-CTO) with 8 GB of RAM (upgradable to 16 GB if need be), and I will be installing a 256 GB Samsung 840 Pro SSD.

What I would like to do is use FreeBSD as a host operating system for VirtualBox and do all of my computing inside the VMs (Windows XP, Windows 7, Scientific Linux, and others), having the host manage just inter-VM communication (e.g. shared folders), power, internet, and other hardware-related functions. The reason for this is needing programs that are exclusive to one platform or another and wanting to run them simultaneously. Furthermore, I would like my computing environment to be portable so that if I ever need to change my computer (upgrade or replacement) the transition will be as seamless as possible. For this, I know I need a robust backup solution.

I want to be able to back up my computer to either of two external hard drives (stored in different locations) and have these be able to be bootable duplicates of my computer. That is, if my computer is lost or stolen, I want to be able to plug in the USB hard drive and boot off that, resuming my work from the last backup without any (or at most minimal) fuss. This is the most important thing to me; if I've just experienced something like my computer being stolen, I don't want to have to fiddle with a partially working backup. I want to back up the computer while I am using it ('live backups' I suppose is the term? I'm not really sure), and I don't want it to have to back up the whole system from scratch each time (just the changes).

I think that I want to use ZFS on this computer, and this is where my troubles start coming. After Googling for a while, ZFS seems to use different paradigms than file systems I am familiar with (e.g. ext2/3, FAT32, NTFS). I want to use ZFS for its compression, block-level deduplication (large VM files, but I know this is a RAM hog so I may not want to turn on deduplication yet), and possibly the self-healing features (I might buy a second 840 Pro hard drive to use for this, but this is in the medium future).

Complicating the matter further, my employer/school require my hard drive and all backups use whole disk encryption. The Samsung 840 Pro supports hardware-level encryption (e.g. set a password in BIOS and the hard drive does the rest), but the external hard drives I'm using are cheap, off-the-shelf USB drives without this functionality. Should I use software-based backups for the whole system, a mixture of hardware on my computer and software for the backups, or relying on a non-ZFS encryption for the backups?

At first dump and restore seemed to be what I wanted for backing up, but now send and receive seem to be more appropriate. It was at this point that I realized I am out of my comfort level with this and turned to the forum. Any pointers would be appreciated, or even telling me that I'm missing something and that this is a horrible thing to want for a laptop (it seems to be ideal in my mind, but, again, I've never used ZFS).

In summary, I want to know how to use ZFS with whole disk encryption (possibly different types) to create bootable backups to external hard drives, and if this even a good idea at all.

Thanks.
 
geli(8) can be used under ZFS to provide encryption. Unless you have a processor with AESNI, be prepared to pay a fairly large performance penalty. Depending on how you do backups, that may not be an issue.
 
TheDougW said:
In summary, I want to know how to use ZFS with whole disk encryption (possibly different types) to create bootable backups to external hard drives, and if this even a good idea at all.

This is not possible using one single disk. Since /boot has to be unencrypted in order to be able to load the kernel, it is not possible to have one single encrypted disk.

What is possible is to have /boot on a USB drive. The rest of the system could be located on a fully encrypted SSD drive using geli(8). To prevent trouble, make sure you have the USB drive mounted during the system upgrade. Also, if you are really paranoid, remove the USB drive as soon as you are done booting from it. (This might require to copy its contents to the "current" /boot on the encrypted SSD drive.)

I did a similar setup here. After booting the kernel from an unencrypted /boot, a passphrase has to be manually entered to mount the root filesystem. If you keep the unencrypted boot media safe from unauthorized modifications, you'll be entering the passphrase to a "safe" environment. This should be not a problem in your situation, since you can keep the unencrypted /boot on a USB drive that you can carry on you at all times.
 
You can have a small UFS formatted GPT partition at the beginning of the disk for the unencrypted /boot (and of course a freebsd-boot partition before it) and then a large GPT partition covering the rest of the disk for the encrypted ZFS pool. You'll need partitions anyway in order to boot from a ZFS pool so using partitions isn't any kind of restriction here.
 
Back
Top