Stories
Slash Boxes
Comments

SoylentNews is people

Playing with ZFS (on Linux) Encryption

posted by martyb on Sunday June 25 2017, @03:23AM   Printer-friendly
from the rot13++ dept.

Phoenix666 writes:

A blog has a walkthrough of using ZFS encryption on Linux:

In order to have a simple way to play with the new features of ZFS, it makes sense to have a safe "sandbox". You can pick an old computer, but in my case I decide to use a VM. It is tempting to use docker, but it won't work because we need a special kernel module to be able to use the zfs tools.

For the setup, I've decide to use VirtualBox and Archlinux, since those are a few tools that I'm more familiar with. And modifying the zfs-dkms package to build from the branch that hosts the encryption PR is really simple.

[...] Finally we are able to enjoy encryption in zfs natively in linux. This is a feature that was long due. The good thing is that this new implementation improved a few of the problems that the original one had, especially around key management. It is not binary compatible, which is fine in most cases and still not ready to be used in production, but so far I really like what I see.

If you want to follow progress, you can watch the current PR in the official git repo of the project. If everything keeps going ok, I would hope this feature to land in version 0.7.1

Original Submission

 
This discussion has been archived. No new comments can be posted.
Playing with ZFS (on Linux) Encryption | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Sunday June 25 2017, @05:57AM (5 children)

    by kaszz (4211) on Sunday June 25 2017, @05:57AM (#530800) Journal

    Only the RAM allocated to the VM needs to be known. The virtualization overhead in terms of RAM isn't likely to be large. Actually ZFS shall be usable with 4 GB, and workable at 8 GB. So no 64 GB needed, but more is better (until any non-ECC ram gets a alpha emission.. flip).

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by jasassin on Sunday June 25 2017, @08:30AM (4 children)

    by jasassin (3566) <jasassin@gmail.com> on Sunday June 25 2017, @08:30AM (#530824) Homepage Journal

    Only the RAM allocated to the VM needs to be known.

    Disputable.

    The virtualization overhead in terms of RAM isn't likely to be large.

    It's an entire OS running in VirtualBox so it will use 1-2GB depending on the OS (not sure of how much RAM Arch Linux uses after booting a default install).

    So no 64 GB needed, but more is better (until any non-ECC ram gets a alpha emission.. flip).

    This is interesting. I'm not very familiar with ECC RAM but I seem to remember reading somewhere if a bit flips the system detects it and freezes anyway. The only difference is the flipped bit it detected forcing a system halt. (Been awhile since I read about ECC RAM.)

    --
    jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A

    • (Score: 3, Informative) by kaszz on Sunday June 25 2017, @09:44AM

      by kaszz (4211) on Sunday June 25 2017, @09:44AM (#530829) Journal

      From the point of the operating system inside a VM. It's running a on real hardware. So even the "RAM" it uses may be swap in reality. Thus only the space allocated as "RAM" really matters.

      With overhead, I meant the memory overhead for the OS running on bare metal that hosts a VM.

      ECC can correct some bit errors and on the rest it will throw an error. The action taken depends. The general rule seems to be 1 bit error per gigabyte per hour.

    • (Score: 5, Informative) by zeigerpuppy on Sunday June 25 2017, @03:46PM (2 children)

      by zeigerpuppy (1298) on Sunday June 25 2017, @03:46PM (#530894)

      ZFS is great. But beware ECC RAM is not optional, it is an absolute requirement for ZFS data consistency. See here for why: https://pthree.org/2013/12/10/zfs-administration-appendix-c-why-you-should-use-ecc-ram/ [pthree.org] .
      Running ZFS in a VM is a good test but you get no benefit from doing this in production.
      ZFS can only protect your data if it has direct access to the drive controller at hardware level. Then feel free to layer whatever you like on top of it. I run many Xen VMs using sparse zvols with ext4 format on top, works great.
      Encryption is a feature that's long awaited in zfsonlinux, interesting to see it's close...

      • (Score: 2) by WillR on Monday June 26 2017, @04:20PM (1 child)

        by WillR (2012) on Monday June 26 2017, @04:20PM (#531374)

        Using ECC on anything with parity RAID-like storage should be considered mandatory. There's nothing especially bad RAM sensitive about ZFS, the same stuck-bit scenario can trash data on RAID 5 just as easily. ZFS just gets shit on much more frequently in the blogosphere about it, for reasons that aren't clear to me.

        • (Score: 2) by zeigerpuppy on Tuesday June 27 2017, @09:50AM

          by zeigerpuppy (1298) on Tuesday June 27 2017, @09:50AM (#531832)

          a good point, parity checking is the main issue. the other thing that makes ZFS a little different is the scrub operation. random bit flips in RAM that are uncaught could actually corrupt good data on disk during a scrub.
          I think most of the critiques are from people used to EXT or NFS file systems who want the ZFS special source but aren't willing to familarise themselves with its quirks!
          At least ECC is cheap these days...