dch
Developer
hey,
I set this up last week it seems to work but whether it's actually a good idea or not ... in particular I wonder if I should have disabled the cache on the nested zpool rather than the parent zvol, and whether I actually need to unmount the nested zpool to snapshot and sync. It would be very nice if I didn't need to do this. What I'm really waiting for is native zfs dataset encryption, and then this obscene hackery could die in the dumpster fire it deserves...
performance is ok, on a box with zpool mirrored 3TB enterprise sata disks, I get ~ 40MiB/s as a zfs send target, from a dataset on the same system. The same zfs send command sent to /dev/null gives ~160MiB/s.
comments welcomed.
objective
partition and label the zvol
geli encrypt it
Here we write and then read the geli_secret out of vault, all done as a normal user:
create the new overlay zpool
send all the things
replicate the encrypted zpool
destroy everything
I set this up last week it seems to work but whether it's actually a good idea or not ... in particular I wonder if I should have disabled the cache on the nested zpool rather than the parent zvol, and whether I actually need to unmount the nested zpool to snapshot and sync. It would be very nice if I didn't need to do this. What I'm really waiting for is native zfs dataset encryption, and then this obscene hackery could die in the dumpster fire it deserves...
performance is ok, on a box with zpool mirrored 3TB enterprise sata disks, I get ~ 40MiB/s as a zfs send target, from a dataset on the same system. The same zfs send command sent to /dev/null gives ~160MiB/s.
comments welcomed.
objective
- create a zfs sendable encrypted dataset
- recover the remote dataset back, decrypt and remount it successfully
Code:
# zfs create -o canmount=off zroot/vols
# zfs create -o volmode=geom \
-o primarycache=none -o secondarycache=none \
-o volblocksize=4k \
-o compression=off \
-V 500G zroot/vols/secure
# ls -AFGhl /dev/zvol/zroot/vols/
total 0
crw-r----- 1 root operator 0xa1 Feb 18 21:00 secure
# dd if=/dev/random of=/dev/zvol/zroot/vols/secure bs=1m
partition and label the zvol
Code:
# gpart create -s gpt /dev/zvol/zroot/vols/secure
zvol/zroot/vols/secure created
# gpart add -t freebsd-zfs -l secure /dev/zvol/zroot/vols/secure
zvol/zroot/vols/securep1 added
# ls -AFGhl /dev/gpt/secure
crw-r----- 1 root operator 0xa3 Feb 18 21:18 /dev/gpt/secure
# zfs snapshot zroot/vols/secure@blank:unencrypted
geli encrypt it
Here we write and then read the geli_secret out of vault, all done as a normal user:
Code:
$ vault write -address=https://vault:8200 secret/backup geli_secret='wouldnt you like to know'
$ vault read -address=https://vault:8200 -field=geli_secret secret/backup \
| sudo geli init -s 4096 -J - -l 256 /dev/gpt/secure
Metadata backup can be found in /var/backups/gpt_secure.eli and
can be restored with the following command:
# geli restore /var/backups/gpt_secure.eli /dev/gpt/secure
$ vault read -address=https://vault:8200 -field=geli_secret \
secret/backup | sudo geli attach -j - /dev/gpt/secure
create the new overlay zpool
Code:
# zpool create -o failmode=continue -O compression=lz4 -O mountpoint=none secure /dev/gpt/secure.eli
# zfs snapshot secure@empty
# zpool export secure
# zfs snapshot zroot/vols/secure@blank:encrypted
send all the things
Code:
# zpool import -N secure
# zfs send -Lev zroot/var/db/precious@20170220-1623 \
| zfs recv -Fuv secure/precious
# zpool export secure
replicate the encrypted zpool
Code:
# zfs snapshot zroot/vols/secure@`date -u +%Y%m%d-%M%H`
# zfs send ....
# zpool import -N secure
destroy everything
Code:
zpool export secure
geli detach gpt/secure.eli
zfs destroy zroot/vols/secure