On Sun, Jul 11, 2010 at 11:51 AM, Michael Johnson <mjjohnson....@yahoo.com> wrote: > I'm planning on running FreeBSD in VirtualBox (with a Linux host) and giving > it raw disk access to four drives, which I plan to configure as a raidz2 > volume. > On top of that, I'm considering using encryption. I understand that ZFS > doesn't yet natively support encryption, so my idea was to set each drive up > with full-disk encryption in the Linux host (e.g., using TrueCrypt or > dmcrypt), mount the encrypted drives, and then give the virtual machine > access to the virtual unencrypted drives. So the encryption would be > transparent to FreeBSD. > However, I don't know enough about ZFS to know if this is a good idea. I > know that I need to specifically configure VirtualBox to respect cache > flushes, so that data really is on disk when ZFS expects it to be. Would > putting ZFS on top of full-disk encryption like this cause any problems? > E.g., if the (encrypted) physical disk has a problem and as a result a > larger chunk of the unencrypted data is corrupted, would ZFS handle that > well? Are there any other possible consequences of this idea that I should > know about? (I'm not too worried about any hits in performance; I won't be > reading or writing heavily, nor in time-sensitive applications.) > I should add that since this is a desktop I'm not nearly as worried about > encryption as if it were a laptop (theft or loss are less likely), but > encryption would still be nice. However, data integrity is the most > important thing (I'm storing backups of my personal files on this), so if > there's a chance that ZFS wouldn't handle errors well when on top of > encryption, I'll just go without it. > Thanks, > Michael >
you can also create zfs on top of GELI[1][2] devices. Create the encrypted disks first and then use that to create zpool. Exact steps (assuming single disk, da1): - create the key # dd if=/dev/random of=/root/da1.key bs=64 count=1 - initialize GELI disk, if you want to only use the key as authentication method or automatically attach on boot, check the reference links for initialization and configuration (-K and -b) # geli init -s 4096 -K da1.key /dev/da1 - attach GELI disk # geli attach -k da1.key /dev/da1 - create zpool, either directly on geli disk or by creating it on top of GPT >>direct: # zpool create securepool da1.eli >>on top of GPT: # gpart create -s gpt da1.eli # gpart add -t freebsd-zfs da1.eli # zpool create securepool da1.elip1 - adjust rc.conf and loader.conf accordingly Another tutorial: http://forums.freebsd.org/showthread.php?t=2775 [1] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html [2] http://www.freebsd.org/cgi/man.cgi?query=geli&apropos=0&sektion=0&manpath=FreeBSD+8.0-RELEASE&format=html -- O< ascii ribbon campaign - stop html mail - www.asciiribbon.org _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
