Encryption project

[OnOw1c]

We have a project to encrypt a fairly large amount of data which currently resides on Solaris 10 ZFS v22 mirrored volumes on iSCSI storage arrays. I am wondering if it would be possible to do the following:

Export volumes and then import the half of the mirror with FreeBSD 9.1. Then add a GELI encrypted volume and resilver. Then break the mirror and remove the original unencrypted volume and replace it with another GELI encrypted volume and then resilver once again. Ending up with both sides of the mirror on GELI encrypted volumes with ZFS on top.

Or possibly make a three-way mirror with two GELI volumes and simply remove the original unencrypted volume once the resilvering is complete.

The amount of data is too large and comprised of too many small files to copy in a reasonable amount of time.

 

[MorgothV8]

Hmmm seems possible for me? Correct me if I'm wrong...

 

[Deleted member 13721]

Anyone know how much of a performance hit ZFS + GELI has?

 

[ondra_knezour]

Looks time consuming to me, you have two data transfers (two resilvers). What about create new ZFS volume on GELI encrypted disks, import Solaris volume and localy send|receive filesystem(s) from imported to newly created volume?

 

[OnOw1c]

I do not know how long it takes to send/recv this amount of data.

In tests and trial by fire, I know it takes Solaris about 18 hours and there are several volumes to do.

With the resilvering operation, the drives can remain in service with no downtime, except for the time to export and import. The volumes need to stay online as much as possible as this is live production data and will be changing while the resliver takes place.

Send/Recv might be an interesting alternative. Do you have any tests which show send/recv to be as fast or faster than resilvering?

 

[OnOw1c]

Btw, I have tested this process with zfsonlinux with LUKS volumes and it worked well... however I am not comfortable with putting production data on the zfsonlinux code as it is still under development and not yet recommended for production data.

 

[OnOw1c]

In tests and trial by fire, I know it takes Solaris about 18 hours and there are several volumes to do.

I should have said it takes Solaris 18 hours to "resilver the volumes"...

 

[ondra_knezour]

I didn't take availability/downtime into account, better said, I asumed whole operation running offline, because I woulnd't go with only one copy of live data. In such scenario, where availability is a key, I would make snapshot on Solaris, send it to new volume on FreeBSD, wait given time, probably several days in your case, stop service on Solaris, make another snapshot, send diference snapshot to new volume and start service with data on new volume. Depending on speed of data changes and how many times you will "refresh" snapshots you can achieve point in time, where difference between actual live data and last shapshot sent will be such small, that sending last one while service is unavailable would take only dozens seconds or minutes.