ZFS Backing up geli-encrypted disk to external drive

pva

pva

I just set up a new laptop with geli full-disk encryption and a ZFS root pool on a single disk using the 12.1-RELEASE installer. Now, I'd like to set up an automated and encrypted backup scheme preferably using ZFS snapshots which I'm already familiar with.

However, I'm a complete geli neophyte, so I'm at a bit of a loss on where to start. Does anyone have suggestions for any tools or documentation that would help me set things up? Thanks!
 
ZFS is not GELI aware i.e. the disk.eli extensions are just block devices for ZFS to use :).
You can just use ZFS snapshots on your laptop to roll-back to even when using GELI. Or did I not understand your question?

EDIT: Woops, I didn't read the title, external drive. Then my initial answer is not that useful.
For an external drive you can also use GELI. A few grosso modo steps below which you can look up separately in detail:
1) Partition (GPT) the external drive using gpart and create a partition on it eg. da0p1 with a label using -l flag; lets say "backup"
2) Create a .eli block device from the label you created above with geli using a key and password, eg. backup.eli
3) Create a zpool from the backup.eli block device using zpool create
4) You are able to send snapshots to the created pool when the pool is in an imported state
5) Export/import the zpool manually after you manually unmount/mount the encrypted .eli device. (can be scripted)
 
Last edited:
  • Thanks
Reactions: pva
Duffyx said:
For an external drive you can also use GELI. A few grosso modo steps below which you can look up separately on google in detail:
Click to expand...

Thanks for the tips, they proved quite helpful!

For the benefit of posterity, here are the commands I wound up using (da0 is the external USB and nvd0 the internal SSD drive):
Code: 
$ doas gpart destroy -F da0
$ doas gpart create -s gpt da0
$ geli list
Geom name: nvd0p3.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: BOOT, GELIBOOT
KeysAllocated: 239
KeysTotal: 239
Providers:
1. Name: nvd0p3.eli
   Mediasize: 1023998423040 (954G)
   Sectorsize: 4096
   Mode: r1w1e1
Consumers:
1. Name: nvd0p3
   Mediasize: 1023998427136 (954G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 210763776
   Mode: r1w1e1

$ doas gpart add -t freebsd-zfs -l backup -s 1023998427136b -a 4k da0
$ gpart show da0
=>        40  3907029088  da0  GPT  (1.8T)
          40  1999996928    1  freebsd-zfs  (954G)
  1999996968  1907032160       - free -  (909G)

$ doas geli init -e AES-XTS -l 256 -s 4096 /dev/gpt/backup
$ geli attach /dev/gpt/backup
$ geli list
Geom name: nvd0p3.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: BOOT, GELIBOOT
KeysAllocated: 239
KeysTotal: 239
Providers:
1. Name: nvd0p3.eli
   Mediasize: 1023998423040 (954G)
   Sectorsize: 4096
   Mode: r1w1e1
Consumers:
1. Name: nvd0p3
   Mediasize: 1023998427136 (954G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 210763776
   Mode: r1w1e1

Geom name: gpt/backup.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 256
Crypto: hardware
Version: 7
UsedKey: 0
Flags: NONE
KeysAllocated: 239
KeysTotal: 239
Providers:
1. Name: gpt/backup.eli
   Mediasize: 1023998423040 (954G)
   Sectorsize: 4096
   Mode: r0w0e0
Consumers:
1. Name: gpt/backup
   Mediasize: 1023998427136 (954G)
   Sectorsize: 512
   Stripesize: 4096
   Stripeoffset: 0
   Mode: r1w1e1

$ doas zpool create -m none backup /dev/gpt/backup.eli
$ doas zfs set readonly=on backup
zpool status backup
  pool: backup
state: ONLINE
  scan: none requested
config:

    NAME              STATE     READ WRITE CKSUM
    backup            ONLINE       0     0     0
      gpt/backup.eli  ONLINE       0     0     0

errors: No known data errors

$ doas sysrc geli_devices="/dev/gpt/backup"

A few notes:
  • I made the ZFS partition on the USB drive the same size as on the SSD, as I'm not planning on backing up other pools onto this drive, and I might want to use the space for something else in the future.
  • I'm only using a password to encrypt the provider because the provider created by the FreeBSD installer isn't using a key file eiher. The password is long enough and has sufficient entropy for me not to lose any sleep over its security. 🤞
Scripting the backups with sysutils/zfsnap2 and sysutils/zxfer was a cinch!
 
You must log in or register to reply here.
Back
Top