10 September 2014

ZFS: quota, compression, and encryption

Here is how I used ZFS to setup my storage drive.

Initial setup:

Get the ZFS package:
    sudo apt-get install zfs-fuse

Find your drives:
    ls /dev/disk/by-id/

Create the array:
    sudo zpool create storage mirror /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-SERIAL#1 /dev/disk/by-id/ata-WDC_WD30EFRX-68EUZN0_WD-SERIAL#2

Check pool status:
    sudo zpool status


Create a new zfs container:
    sudo zfs create storage/mythtv

Set the storage limit (quota):
    sudo zfs set quota=1T storage/mythtv


Create a new zfs container:
    sudo zfs create -o compression=on storage/.encrypted

Or to turn on compression on an existing container:
    sudo zfs set compression=on storage/.encrypted

Check CompressRatio:
    sudo zfs get all storage/encrypted | grep compressratio


Since Linux ZFS does not support the encryption option (as of 2014-09), there are 2 options. The first is to place the encryption below the ZFS layer using LUKS, and the second is to encrypt on top of the ZFS layer using a file based encryption. I have chosen to use the latter because I have heard that ZFS data reliability works better if it is the layer closest to the hardware.

Get the encryption package:
    sudo apt-get install ecryptfs-utils

Create a mount point and start the encryption process:
    sudo mkdir /storage/encrypted
    sudo mount -t ecryptfs /storage/encrypted /storage/encrypted

Follow the prompts. I chose AES, 32 bytes (256 bit), and yes to encrypt the filenames.

Save settings to be able to mount later:
    cat /etc/mtab | grep ecryptfs

Add results from above to /etc/fstab and add the options noauto (to prevent mounting at boot) and ecryptfs_passthrough=n (not sure why this is not on the mtab entry)

Example /etc/fstab entry:
    /storage/.encrypted /storage/encrypted ecryptfs noauto,rw,ecryptfs_sig=12a34b567c8de9ff,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_fnek_sig=12a34b567c8de9ff,ecryptfs_unlink_sigs,ecryptfs_passthrough=n 0 0

    sudo umount /storage/encrypted

    sudo mount /storage/encrypted

Encryption Update (2014-09-26):

Enabling Filename Encryption in ecryptfs lowers your maximum filename from 255 characters to 143 characters.
See: https://bugs.launchpad.net/ecryptfs/+bug/344878

No comments:

Post a Comment