ZFS ZFS encrypt existing dataset

stratacast1

Well-Known Member

Reaction score: 43
Messages: 336

The other day I got a new backup HDD so I can rotate my external disks and take them offsite in case my house blows up. I enjoy disk encryption on these sorts of drives that will be stored safely and the data is inaccessible. However, after backing up my data I realized that I didn't employ ZFS encryption on the drive! Am I going to have to nuke the data on my external drive, recreate the dataset and enable encryption, or is there a way to encrypt existing data? What would you suggest?
 
Π

Π 5C15

Guest


How much info you have in your non encrypted drive?
Look, if the disk A (which is where you have your information) has less information than the disk where you want to encrypt (call it disk B), then you can repeat the procedure in the disk B and add ZFS. Then you need to move the information from disk A to B and that's all.
At least, that you have 1 only disk. Then the thing changes...
 
OP
stratacast1

stratacast1

Well-Known Member

Reaction score: 43
Messages: 336

It's 1TB on a 4TB disk. So in essence you're saying basically wipe all the data on my external drive (disk B), create a zfs dataset with encryption and then write the data from A to B again? That's kind of what I was thinking
 

rigoletto@

Daemon
Developer

Reaction score: 1,249
Messages: 2,291

If you can wait for a while to have them encrypted, iXSystems is implementing the ZFS native encryption which should come out with 12R. You can store them using ZFS now, and later activate the encryption and do some send|recv to get everything encrypted.
 

Oko

Daemon

Reaction score: 794
Messages: 1,620

If you can wait for a while to have them encrypted, iXSystems is implementing the ZFS native encryption which should come out with 12R. You can store them using ZFS now, and later activate the encryption and do some send|recv to get everything encrypted.
Am I suppose to believe that will be available to unpaid customers? Native encryption is one of many reasons people are still paying for more advanced Oracle version of ZFS.
 
OP
stratacast1

stratacast1

Well-Known Member

Reaction score: 43
Messages: 336

geli's encryption should be fine enough though right? That's what I was intending on doing to encrypt my volumes, that is, if I'm understanding it all right :)
 

rigoletto@

Daemon
Developer

Reaction score: 1,249
Messages: 2,291

Am I suppose to believe that will be available to unpaid customers? Native encryption is one of many reasons people are still paying for more advanced Oracle version of ZFS.
Allan Jude told me on IRC about that some time ago. ZoL already have implemented native encryption anyway.

stratacast1 Geli should work fine, but ZFS native encryption is a more elegant solution. :D
 
OP
stratacast1

stratacast1

Well-Known Member

Reaction score: 43
Messages: 336

Sooo ZFS DOES have native encryption? So I can do zfs set encryption=on dataset/name? If that's it, do you think it'd be optimal to just do that backup all over again or do a mv from unencrypted dataset to encrypted dataset? I'd have to rename the new encrypted dataset so I don't have to finagle with my scripts and cron jobs on it
 
OP
stratacast1

stratacast1

Well-Known Member

Reaction score: 43
Messages: 336

OpenZFS* I can't tell if lebarondemerde is talking about ZFS or OpenZFS with native encryption.

I'd say I'm in no dire rush to implement encryption on my drive as it's being stored in a trusted location, but it would be a nice-to-have.
 

rigoletto@

Daemon
Developer

Reaction score: 1,249
Messages: 2,291

Sooo ZFS DOES have native encryption? So I can do zfs set encryption=on dataset/name? If that's it, do you think it'd be optimal to just do that backup all over again or do a mv from unencrypted dataset to encrypted dataset? I'd have to rename the new encrypted dataset so I don't have to finagle with my scripts and cron jobs on it

Currently the only available (free) working implementation is from ZoL (ZFS on Linux). And as I previously said, iXSystems is working on the FreeBSD one (hopefully) due 12R.
 
OP
stratacast1

stratacast1

Well-Known Member

Reaction score: 43
Messages: 336

Currently the only available (free) working implementation is from ZoL (ZFS on Linux). And as I previously said, iXSystems is working on the FreeBSD one (hopefully) due 12R.

Aha gotcha. Well, I think I'll wait for that. Where I'll be storing my drive, I expect the risk of theft to be REALLY low, and I expect the level of understanding of a thief to be even lower when it comes to accessing my data. Can't wait for ZFS encryption on FreeBSD!
 
Top