We''re using a backups server to back up all machines in a LAN. Four 2TB disks are assembled in a BTRFS RAID array and mounted as /media/backups. Under this are subvolumes droog, hex, etc, and snapshots droog_snap-{date1}, hex_snap-{date1}, etc. Goal is to encrypt backups, but the concern is with snapshots. Won''t piping rsync through encryption with GPG or somesuch, play havoc with BTRFS snapshot accounting? Is there any way to encrypt an array so it is inaccesible while umounted? I''ve already asked on the ecryptfs listserv and it resulted in mass confusion. -- http://www.fastmail.fm - A fast, anti-spam email service. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
So there is no way to have filesystem encryption, while keeping snapshots? On Fri, Dec 7, 2012, at 8:16, [2]merc1984@f-m.fm wrote:> We''re using a backups server to back up all machines in a LAN. Four 2TB disks are assembled in a BTRFS RAID array and mounted as /media/backups. Under this are subvolumes droog, hex, etc, and snapshots droog_snap-{date1}, hex_snap-{date1}, etc.> Goal is to encrypt backups, but the concern is with snapshots. Won''t piping rsync through encryption with GPG or somesuch, play havoc with BTRFS snapshot accounting?> Is there any way to encrypt an array so it is inaccesible while umounted?> I''ve already asked on the ecryptfs listserv and it resulted in mass confusion.-- -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 12, 2012 at 11:12 AM, <merc1984@f-m.fm> wrote:> > So there is no way to have filesystem encryption, while keeping > snapshots? > >I run btrfs on top of LUKS encryption on my laptop. You should be able to do the same. You could then run rsync through ssh. However, rsync will have no knowledge of any blocks shared under subvolume snapshots. Btrfs does not yet have internal encryption. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 12, 2012, at 10:31, Mitch Harder wrote:> I run btrfs on top of LUKS encryption on my laptop. You should be able to do the same. > > You could then run rsync through ssh. However, rsync will have no knowledge of any blocks shared under subvolume snapshots. > > Btrfs does not yet have internal encryption.The FAQ says specifically to NOT run BTRFS with any kind of volume encryption, so you''re asking for trouble. And clearly encryption is not possible if you need snapshots. -- http://www.fastmail.fm - One of many happy users: http://www.fastmail.fm/help/overview_quotes.html -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 12, 2012 at 12:38 PM, <merc1984@f-m.fm> wrote:> > On Wed, Dec 12, 2012, at 10:31, Mitch Harder wrote: >> I run btrfs on top of LUKS encryption on my laptop. You should be able to do the same. >> >> You could then run rsync through ssh. However, rsync will have no knowledge of any blocks shared under subvolume snapshots. >> >> Btrfs does not yet have internal encryption.> The FAQ says specifically to NOT run BTRFS with any kind of volume > encryption, so you''re asking for trouble.Sayeth the FAQ: Does Btrfs work on top of dm-crypt? This is deemed safe since 3.2 kernels. Corruption has been reported before that, so you want a recent kernel. The reason was improper passing of device barriers that are a requirement of the filesystem to guarantee consistency.> And clearly encryption is not possible if you need snapshots.Snapshots don''t come into this at all: btrfs doesn''t care where the block devices it''s on come from. Things like dm-crypt show btrfs (or whatever filesystem you put on it) a decrypted view of the device. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 12, 2012, at 10:48, cwillu wrote:> Sayeth the FAQ:Oh pardon me, it''s BTRFS RAID that''s a no-go, which is just as critical to me as I have a 4 disk 8TB array. The FAQ goeth on to Say: ----------------------------------------------------------- This pretty much forbids you to use btrfs'' cool RAID features if you need encryption. Using a RAID implementation on top of several encrypted disks is much slower than using encryption on top of a RAID device. So the RAID implementation must be on a lower layer than the encryption, which is not possible using btrfs'' RAID support. ----------------------------------------------------------- You saw that I need RAID above. Were you just trying to criticize my memory of the FAQ cwillu? -- http://www.fastmail.fm - Accessible with your email software or over the web -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Dec 12, 2012 at 2:06 PM, <merc1984@f-m.fm> wrote:> On Wed, Dec 12, 2012, at 10:48, cwillu wrote: >> Sayeth the FAQ: > > Oh pardon me, it''s BTRFS RAID that''s a no-go, which is just as critical > to me as I have a 4 disk 8TB array. > The FAQ goeth on to Say: > ----------------------------------------------------------- > This pretty much forbids you to use btrfs'' cool RAID features if you > need encryption. Using a RAID implementation on top of several encrypted > disks is much slower than using encryption on top of a RAID device. So > the RAID implementation must be on a lower layer than the encryption, > which is not possible using btrfs'' RAID support. > ----------------------------------------------------------- > > You saw that I need RAID above. Were you just trying to criticize my > memory of the FAQ cwillu?It''s not asking for trouble, it''s just asking for poor performance, and I suspect even that will depend greatly on the workload. Snapshots still have nothing to do with it: you could have btrfs (with snapshots) on dm-crypt on mdraid. Btrfs would just lose the ability to try alternate mirrors and similar; snapshots would still work just fine. -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
merc1984@f-m.fm wrote (ao):> Oh pardon me, it''s BTRFS RAID that''s a no-go, which is just as critical > to me as I have a 4 disk 8TB array. > The FAQ goeth on to Say: > ----------------------------------------------------------- > This pretty much forbids you to use btrfs'' cool RAID features if you > need encryption.Forbids? That is just plain wrong. I have one btrfs filesystem on top of two encrypted devices. Works just fine. Sander -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Dec 13, 2012, at 1:17, Sander wrote: Forbids? That is just plain wrong. I have one btrfs filesystem on top of two encrypted devices. Works just fine. That''s dynamite Sander. But I am not going to contravene the instructions, then have problems, only to come back here and have fingers wagged in my face telling me this is all EXPERIMENTAL! -- http://www.fastmail.fm - Send your email first class -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Dec 13, 2012 at 09:23:05AM -0800, merc1984@f-m.fm wrote:> > On Thu, Dec 13, 2012, at 1:17, Sander wrote: > Forbids? That is just plain wrong. > I have one btrfs filesystem on top of two encrypted devices. Works just > fine. > > That''s dynamite Sander. > > But I am not going to contravene the instructions, then have problems, > only to come back here and have fingers wagged in my face telling me > this is all EXPERIMENTAL!Well, I''m afraid that applies to the information on the wiki, too -- that''s also experimental, to a degree. The notes on the wiki about behaviour of encryption layers weren''t added by any of the core developers. Nobody''s published concrete tests *either* way yet, and those comments are one person''s opinion, as far as I''m aware (and note that they don''t actually quote sources, results, or even personal experience). YMMV. Hugo. -- === Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk == PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- Great oxymorons of the world, no. 2: Common Sense ---