Re: zfs encryption + boot + world + dog

2021-06-23 Thread Matthew Crews via PLUG-discuss
On 6/23/21 5:18 PM, Michael Butash via PLUG-discuss wrote:
> Saw this today, talking about encryption under zfs under linux.  Anyone
> using it here that can comment on experience using it yet for personal
> or at scale?
> 
> https://arstechnica.com/gadgets/2021/06/a-quick-start-guide-to-openzfs-native-encryption/
> 
> 
> I use a combination of mdraid+luks+lvm+ext4/jfs, and would really love
> for this to be one thing, ala ZFS or BTRFS.  Yes I could google my arse
> off to look, but looking for some trusted opinion here.

I've used ZFS and BTRFS under Linux, though I haven't tried native ZFS
encryption yet. I have used both ZFS and BTRFS under LUKS encryption too.

Both BTRFS and ZFS work so much nicer than mdraid when it comes to
spanning across multiple disks (though beware that BTRFS still isn't
production safe for RAID5/RAID6).

If you want to use a multi-disk storage array, ZFS and BTRFS are both
superior options to MDRAID.

However ZFS is just straight better and easier to maintain than BTRFS,
especially now that native encryption is a thing (something BTRFS sorely
lacks).



Here is my disk topology for my 4 disk RAID10 setup under BTRFS.

Disk 1 - LUKS - Btrfs --\   /--Btrfs subvolume
|   |
Disk 2 - LUKS - Btrfs --|   |--Btrfs subvolume
|--- Btrfs volume --|
Disk 3 - LUKS - Btrfs --|   |--Btrfs subvolume
|   |
Disk 4 - LUKS - Btrfs --/   \--Btrfs subvolume

To be honest, it is a pain in the arse to mount an encrypted BTRFS
volume this way. You need to unencrypt all four drives first, and then
you need to mount it. But at least once its mounted, the subvolumes are
already set up.

If I need to replace a drive (and I've had to replace drives) it is also
a pain in the arse due to having to deal with both Luks and BTRFS.

Encrypted ZFS would simplify this setup enormously.

When I need to replace my drives, I will be switching from BTRFS to ZFS.


-Matt
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

zfs encryption + boot + world + dog

2021-06-23 Thread Michael Butash via PLUG-discuss
Saw this today, talking about encryption under zfs under linux.  Anyone
using it here that can comment on experience using it yet for personal or
at scale?

https://arstechnica.com/gadgets/2021/06/a-quick-start-guide-to-openzfs-native-encryption/

I use a combination of mdraid+luks+lvm+ext4/jfs, and would really love for
this to be one thing, ala ZFS or BTRFS.  Yes I could google my arse off to
look, but looking for some trusted opinion here.

Encryption is probably the strongest requirement I have.  I keep a _lot_ of
sensitive data for customers on my system by virtue of supporting them.
This data needs to be secure first and foremost at rest or other.

Encryption, scalable volumes, redundancy, longevity (ala trim/wear in
flash) are most important to me.  Traditionally a combo of mdadm+lvm
handles this, but would be nice if zfs can do this now, plus above
encryption.  LVM has done great things for decades, but navigating layers
is detrimental for both performance and longevity of devices, particularly
SSD's depending on technology and firmware.

Cold-booting the system consistently with above features is key to me.  I'm
ok with an unencrypted boot drive with a kernel, but all the other layers
need to be encrypted, but just tend to wear on the hardware and performance
ultimately.  Rather than needing an ext4 /boot, then some combo of
root+world fs, I'd love to see grub boot a consistent file system from boot
segments into encrypted user-land data segments to make work today.

Anyone rolling this sort of setup today reliably that can speak to
experience?  Debating new hardware (laptop ideally), so wondering what my
future hardware and software setup will look like.

If still reading, thanks in advance!

-mb
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss