Best ZFS management practice with two mirrored hard disks?

Hi all,

I'm currently managing a dedicated server with two 3TB hard disks but ZFS seems like a stranger to me. I want something like RAID-1 for data redundancy. In the storage management part, by default, the auto ZFS-on-root wizard utilizes the two whole disks (not partitions) and set up a huge zroot pool. If encryption is enabled, I will have to enter password on every boot.

However, since the server is remote, if the whole root pool is encrypted, it is not efficient to type in the password every time (KVM-over-IP required). So I want to separate an encrypted dataset in zroot but it seems that encryption is only available on the block-device-level.

An ideal storage configuration for me would be:
- Mirrored redundancy.
- Unencrypted root, encrypted home and encrypted data.

I come up with two options:

1. Keep a single zroot pool, create zfs volumes within the pool and expose them as block devices. Then set up encryption using geli on them. Mount them by request.
2. Use separate pools, unencrypted zroot and encrypted zdata. Migrate /usr/home to zdata. In this option, I have to divide both disks to partitions identically. In each zpool, the components are now partitions not devices.

Which one is a better practice? Or are there any better solutions? I only have experiences with Linux LUKS and ZFS is more powerful than normal file systems like ext4, so this really confuses me.

Looking forward to your advices. Thanks in advance!
 
I'd go down the option 2 route. You'll get the filesystem-level benefits (snapshots, clones, send/recv etc) of ZFS for your encrypted data. Zpools built on top of zvols in zpools are NOT a good idea, but geli-encrypted partitions/slices are fine. I have used option 1, but only where a simple single UFS /usr/home mount was required.
 
Any chance you could add two more disks? They don't have to be large. Then you could put zroot (mirrored) on the two 'smallish' disks and use the 2x3TB in a separate pool for data.
 
I would go with the second. You’re currently looking at geli(8) to get block-level encryption (similar to LUKS) with ZFS stacked on top. Look at the geli examples in /etc/defaults/rc.conf for what to put in rc.conf.

Encrypted ZFS (native to ZFS, that is) should come with the ZoF transition in 13.
 
Back
Top