ZFS and RaidZ: partial or full disc encryption?

D

donduq

I searched through the forums and the Internet and found many valuable clues, but I need your advice on just a few more things before I'm ready to start working on this project.

I'm about to play with a machine with an Intel Q6600 (quad core) CPU, 7G RAM (DDR2) and six hard discs.

The CPU has no AES acceleration, so am I right to assume it's better to encrypt what actually needs to be encrypted, as opposed to going with full disc encryption?

If the answer is 'yes', then does this mean I must make two zpools: one for the OS and one for the storage? I hope not because in that case I need to plan beforehand how much space I need to allocate with gpart.

What would you advice me to do?
 
You are asking the wrong questions.
The main question is, do you have data that needs to be encrypted? Performance only comes second if the main issue is security.

As for other question; you can have one pool for both system and data. If you decide to encrypt whole disks, you need to leave small portion of unencrypted space to boot from. Or just use small flash drive for main system.
 
bbzz said:
You are asking the wrong questions.
The main question is, do you have data that needs to be encrypted? Performance only comes second if the main issue is security.
Click to expand...

Yes, I do have data that needs to be stored with encryption.

bbzz said:
As for other question; you can have one pool for both system and data. If you decide to encrypt whole disks, you need to leave small portion of unencrypted space to boot from. Or just use small flash drive for main system.
Click to expand...

I realise. What I'm saying is that I don't see the need to encrypt the entire system, I'd be OK with only encrypting what needs to be encrypted rather than the entire system.

Let's say I only want to encrypt /home. Can this only be done if I make /home a separate zpool?
 
donduq said:
Let's say I only want to encrypt /home. Can this only be done if I make /home a separate zpool?
Click to expand...

Yes, because geli is underlying disk encryption, and you feed it like that to zpool. You can't do this per filesystem.
 
As a side note, do not make RaidZ with 6 disks. Raidz2 is a possibility; One of my servers has no-AES CPU with 6 disks in mirror configuration. Resilvering/scrubbing is much less intensive compared to RaidZ2. Just something to think about.
 
matoatlantis said:
Also check these ZFS best practices. Specially pay attention how many disks you'll put into raidz (RAIDZ Configuration Requirements and Recommendations part of the docs).
Click to expand...

Thanks for that doc. My own consideration falls in line with this citation:

Start a double-parity RAIDZ (raidz2) configuration at 6 disks (4+2)
Click to expand...

In my case there are 6 1TB discs = approximately 4TB. So, the plan, for now, is to use 500G without encryption = 125G per disc.

Did I overlook and/or do I need to consider anything else?

(Note to self: read that ZFS guide at least twice :stud)
 
bbzz said:
As a side note, do not make RaidZ with 6 disks. Raidz2 is a possibility; One of my servers has no-AES CPU with 6 disks in mirror configuration. Resilvering/scrubbing is much less intensive compared to RaidZ2. Just something to think about.
Click to expand...

Okay, got it. This shows how new I am to this side of FreeBSD...
 
But as you are still in a planning stage, it might be worth it to do some experiments. Install FreeBSD on fully encrypted raidz2 pool (4+2P) and do some tests. You might be satisfied with the performance and leave it fully encrypted.

Also note you might be hitting bottleneck on the motherboard anyway (depending on your setup, speed of disks, etc. ).
 
You must log in or register to reply here.
Back
Top