Discussion:
OpenZFS from ports
Andrea Venturoli
2021-04-03 09:10:29 UTC
Permalink
Hello.

In the next few days I'm going to convert a 11.4 system from UFS +
UFS/GELI to ZFS.
In the past I would have created two sets of partitions, one for a zpool
and one for a zpool/GELI.
Of course this would be a limitation since the partition sizes are fixed
forever.

I hear OpenZFS has native encryption, but I'm not prepared to move to 13
yet, so I'm evaulating upgrading to 12.2 and using OpenZFS from ports.
Is this possible? Stable? Discouraged?
Anything to watch for?
Any disadvantage over GELI?



My (not definitive) plan would be:
_ move everything to ZFS first (this would be to a new set of HDs, so I
could keep the old ones as backup), losing encryption;
_ upgrade to 12.2;
_ switch to OpenZFS;
_ create a new encrypted dataset and move there the data that should be
encrypted.

Any better hint?



I know kernel modules should be built locally, but I normally build with
poudriere and never had any trouble.
Would this work for sysutils/openzfs-kmod?

bye & Thanks
av.
andrew clarke
2021-04-03 09:54:42 UTC
Permalink
Post by Andrea Venturoli
_ move everything to ZFS first (this would be to a new set of HDs, so I
could keep the old ones as backup), losing encryption;
_ upgrade to 12.2;
_ switch to OpenZFS;
_ create a new encrypted dataset and move there the data that should be
encrypted.
Depending on your needs, running PEFS on top of ZFS may be an option, at least
temporarily until you upgrade to FreeBSD 13.
Andrea Venturoli
2021-04-03 17:15:35 UTC
Permalink
Post by andrew clarke
Post by Andrea Venturoli
_ move everything to ZFS first (this would be to a new set of HDs, so I
could keep the old ones as backup), losing encryption;
_ upgrade to 12.2;
_ switch to OpenZFS;
_ create a new encrypted dataset and move there the data that should be
encrypted.
Depending on your needs, running PEFS on top of ZFS may be an option, at least
temporarily until you upgrade to FreeBSD 13.
That might be a good suggestion, as I did not know PEFS.
Is it reliable? More reliable than ZFS?
Any gotchas from someone who used it in production?

bye & Thanks
av.
andrew clarke
2021-04-15 14:11:29 UTC
Permalink
Update : I no longer recommend PEFS. At least not at the moment.

To my surprise, sysutils/pefs-kmod (2018.11.26) fails to build under
FreeBSD 13.0-REL, and it's beyond my knowledge to fix it.

It's also not possible to load the kernel driver from the FreeBSD 12.2
build of PEFS in FreeBSD 13.0:

Apr 14 17:37:35 blizzard kernel: KLD pefs.ko: depends on kernel - not available or version mismatch
Apr 14 17:37:35 blizzard kernel: linker_load_file: /boot/modules/pefs.ko - unsupported file type

So beware that if you upgrade to FreeBSD 13.0 and you have any PEFS
data, you won't be able to access it from that machine after the upgrade.
The only way I could access mine was via SSHFS from another system still
running FreeBSD 12.2.

Evidently development on PEFS seems to have stalled, so I'm not expecting
a patch to fix the build on 13.0 any time soon. Consequently I'm looking at
moving the data to a ZFS encrypted filesystem on the 13.0 machine, but for
various reasons I'm a bit hesitant.

There is also ENCFS (sysutils/fusefs-encfs), which still works in FreeBSD
13.0, though from memory the performance wasn't great compared to PEFS.
Post by andrew clarke
Post by Andrea Venturoli
_ move everything to ZFS first (this would be to a new set of HDs, so I
could keep the old ones as backup), losing encryption;
_ upgrade to 12.2;
_ switch to OpenZFS;
_ create a new encrypted dataset and move there the data that should be
encrypted.
Depending on your needs, running PEFS on top of ZFS may be an option, at least
temporarily until you upgrade to FreeBSD 13.
Tomasz CEDRO
2021-04-15 14:44:26 UTC
Permalink
Post by andrew clarke
Evidently development on PEFS seems to have stalled, so I'm not expecting
a patch to fix the build on 13.0 any time soon. Consequently I'm looking at
moving the data to a ZFS encrypted filesystem on the 13.0 machine, but for
various reasons I'm a bit hesitant.
Just use defaul zfs on encrypted geli as installer suggests. Use aesni
module to use hardware for encryption. It works fine :-)

PEFS may be good for local encryption of selected directory / files. zfs +
geli is better for system wide. Please report PEFS to bugzilla it ma be
fixed soon :-)

ZFS provides you with (differential) snapshot (and then standard stream)
mechanism that you can put into cron to create automatic incremental
backups and export.

--
CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Andrea Venturoli
2021-04-15 15:45:20 UTC
Permalink
Post by andrew clarke
Update : I no longer recommend PEFS. At least not at the moment.
...
Evidently development on PEFS seems to have stalled,
That's what I feared.

I was about to try PEFS this morning, but had to postpone.
Now I'm of course more confused:
_ try PEFS (performance is not an issue and eventually I'll move the
data before I upgrade to 13, which won't be that soon);
_ try OpenZFS.

Why are you hesitant about the latter?

bye & Thanks
av.

Arthur Chance
2021-04-03 13:48:37 UTC
Permalink
Post by Andrea Venturoli
Hello.
In the next few days I'm going to convert a 11.4 system from UFS +
UFS/GELI to ZFS.
In the past I would have created two sets of partitions, one for a zpool
and one for a zpool/GELI.
Of course this would be a limitation since the partition sizes are fixed
forever.
I hear OpenZFS has native encryption, but I'm not prepared to move to 13
yet, so I'm evaulating upgrading to 12.2 and using OpenZFS from ports.
Is this possible? Stable? Discouraged?
Anything to watch for?
Any disadvantage over GELI?
_ move everything to ZFS first (this would be to a new set of HDs, so I
could keep the old ones as backup), losing encryption;
_ upgrade to 12.2;
_ switch to OpenZFS;
_ create a new encrypted dataset and move there the data that should be
encrypted.
Any better hint?
How about ZFS on top of GELI encrypted disks?
Post by Andrea Venturoli
I know kernel modules should be built locally, but I normally build with
poudriere and never had any trouble.
Would this work for sysutils/openzfs-kmod?
--
The number of people predicting the demise of Moore's Law doubles
every 18 months.
Andrea Venturoli
2021-04-03 17:13:00 UTC
Permalink
Post by Arthur Chance
How about ZFS on top of GELI encrypted disks?
That was the first idea, the one I've used in the past and the one I'm
trying to avoid now.
Post by Arthur Chance
In the past I would have created two sets of partitions, one for a zpool
and one for a zpool/GELI.
Of course this would be a limitation since the partition sizes are fixed
forever.
bye & Thanks
av.
Andrea Venturoli
2021-04-04 09:27:31 UTC
Permalink
Post by Andrea Venturoli
I hear OpenZFS has native encryption, but I'm not prepared to move to 13
yet, so I'm evaulating upgrading to 12.2 and using OpenZFS from ports.
Is this possible? Stable? Discouraged?
Anything to watch for?
One further question:
_ I've read encryption is selected at the dataset level and that you
can't boot from an encrypted dataset;
_ somewhere else I read you cannot boot from an encrypted pool.

So just to be sure: can I create only one zpool and boot from it, while
having part of it (one or more datasets) encrypted, as long as the one
where the OS is is in clear?

bye & Thanks
av.
Loading...