Encryption on OpenIndiana
Not integrated in ZFS like with Solaris 11 and ZFS V.31+
but on an underlaying disk level and therefor working with ZFS V.28
The thought is:
- create files on a ZFS dataset (ex 1 GB with the option to backup them to any Filesystem/ Cloud provider)
- build block-devices from the files with lofiadm. (lofiadm supports encryption, must enter a pw here)
- build a regular ZFS pool from these files (use ex ZFS Z2 to recover from backup files with errors)
ex:
1. create a 1G file in /tank/secrets (a ZFS dataset)
cd /tank/secrets
mkfile 1g file1
2. create encrypted blockdevices from these file(s) -> creates a device /dev/lofi/1
lofiadm -c aes-256-cbc -a /tank/secrets/file1
Enter passphrase: ..
-repeat for all disks if you want to build a pool from more disks to have redundancy
(important if you want to backup these files on a non-ZFS file system)
3. Create a regular (ex. basic) ZFS pool from this or these (encrypted) device(s)
zpool create secretpool /dev/lofi/1
The newly created pool works like any ZFS pool.
To take offline you must export the pool and remove the devices
zpool export secretpool
lofiadm -d /tank/secrets/file1
To take online you must build devices from the files again using the same PW and import the pool
lofiadm -c aes-256-cbc -a /tank/secrets/file1
Enter passphrase: ..
If you use the wrong PW, all seems ok but there are no files...
Now you can import your pool from these devices
zpool import -d /dev/lofi shows all available pools
To import the pool, you must use:
zpool import -d /dev/lofi/ secretpool
Only disadvantage may be some lower performance (goes through ZFS twice + encryption).
But its very elegant, easy to implement and it is based simply only on one or more encrypted files.
If you want to backup them, you can just copy them. With small files its not a problem, even on FAT disks
with a max file limit of 2 GB. If you have build redundant ZFS pools from several files (ex Raid-Z1/2/3) its even not
a problem if (1/2/3) files get damaged for whatever reason.
I will add this in napp-it
http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools
http://www.cuddletech.com/blog/pivot/entry.php?id=1029
https://blogs.oracle.com/yakshaving/entry/encrypted_fs_on_solaris_10
http://www.idevelopment.info/data/Oracle/DBA_tips/Automatic_Storage_Management/ASM_21.shtml
Not integrated in ZFS like with Solaris 11 and ZFS V.31+
but on an underlaying disk level and therefor working with ZFS V.28
The thought is:
- create files on a ZFS dataset (ex 1 GB with the option to backup them to any Filesystem/ Cloud provider)
- build block-devices from the files with lofiadm. (lofiadm supports encryption, must enter a pw here)
- build a regular ZFS pool from these files (use ex ZFS Z2 to recover from backup files with errors)
ex:
1. create a 1G file in /tank/secrets (a ZFS dataset)
cd /tank/secrets
mkfile 1g file1
2. create encrypted blockdevices from these file(s) -> creates a device /dev/lofi/1
lofiadm -c aes-256-cbc -a /tank/secrets/file1
Enter passphrase: ..
-repeat for all disks if you want to build a pool from more disks to have redundancy
(important if you want to backup these files on a non-ZFS file system)
3. Create a regular (ex. basic) ZFS pool from this or these (encrypted) device(s)
zpool create secretpool /dev/lofi/1
The newly created pool works like any ZFS pool.
To take offline you must export the pool and remove the devices
zpool export secretpool
lofiadm -d /tank/secrets/file1
To take online you must build devices from the files again using the same PW and import the pool
lofiadm -c aes-256-cbc -a /tank/secrets/file1
Enter passphrase: ..
If you use the wrong PW, all seems ok but there are no files...
Now you can import your pool from these devices
zpool import -d /dev/lofi shows all available pools
To import the pool, you must use:
zpool import -d /dev/lofi/ secretpool
Only disadvantage may be some lower performance (goes through ZFS twice + encryption).
But its very elegant, easy to implement and it is based simply only on one or more encrypted files.
If you want to backup them, you can just copy them. With small files its not a problem, even on FAT disks
with a max file limit of 2 GB. If you have build redundant ZFS pools from several files (ex Raid-Z1/2/3) its even not
a problem if (1/2/3) files get damaged for whatever reason.
I will add this in napp-it
http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools
http://www.cuddletech.com/blog/pivot/entry.php?id=1029
https://blogs.oracle.com/yakshaving/entry/encrypted_fs_on_solaris_10
http://www.idevelopment.info/data/Oracle/DBA_tips/Automatic_Storage_Management/ASM_21.shtml