On 2021-01-02 13:10, Gregory Seidman wrote:
I've been running 10+ LVM volumes on top of dmcrypt on top of md RAID1 on
Debian for many, many years and it has served me well. I've been
double-mirroring (i.e. three active drives in the RAID array) for the last
several with the idea that I can manually fail a disk, pull it out (and
replace with a fresh drive), and put it somewhere safe off-site as an easy
approach to backup (and I'm only concerned with disaster recovery, not
individual file recovery).
I have new server hardware I'm planning on moving things to, and I'm
considering making a change to my approach. I've been hearing good things
about ZFS for a long time, and I understand that encryption has been
supported for several years. Assuming that I have three physical disks to
dedicate (separate from the three I am currently using) I'm seeking
guidance on the following:
1. Can an entire ZFS array be encrypted, rather than individual volumes? I
don't want to have to enter the password for each volume, just once when
bringing up the whole array.
2. Is there a way to tune ZFS such that it can tolerate the loss of any two
out of three disks? Redundancy is more important to me than total
available storage.
3. Is there any equivalent off-site backup mechanism like my current
fail-and-remove approach?
Note that I am not worried about the effort involved in moving data. This
is a home setup and downtime is tolerable.
I use Samba on FreeBSD with ZFS for my SOHO file server. It has two 3 TB's in a ZFS mirror.
AIUI native ZFS encryption is not production ready on upstream OpenZFS. So, we need to use an encryption layer on each device under ZFS; e.g. dm-crypt on Linux and GELI on FreeBSD.
If you do not want to enter passphrases at boot, then use a key file. So, security of your data depends upon security of the key file. I use encrypted root, and put the key file under /root with uid=gid=0 and mode=0400.
ZFS pools are built from stripped virtual devices (VDEV). Virtual devices may be one or more block devices (disk, hardware RAID), one or more slices/ partitions, one or more a Linux device-mapper virtual block devices, etc..
So for your application, I would create one large partition on each disk, put a LUKS volume into each partition, and put the three mapped devices into a mirror in a ZFS pool. Then again, I prefer FreeBSD for ZFS; so GELI instead of LUKS.
I have several HDD's in mobile racks that I use for backups in a rotation scheme. Each has a stand-alone pool (e.g. no redundancy). To backup, I periodically insert a backup drive into a bay on an admin machine, import the backup pool, initiate a recursive snapshot of the datasets on the server, replicate the snapshots from the server pool to the backup pool, export the backup pool, and remove the backup drive.
David