Hi. I'm moving some of my geli installation to a new machine. On an old machine it was running UFS. I use ZFS on a new machine, but I don't have an encrypted main pool (and I don't want to), so I'm kinda considering a way where I will make a zpool on a zvol encrypted by geli. Would it be completely insane (should I use UFS instead ?) or would it be still valid ? Thanks. Eugene.
Am 22.07.2013 10:04, schrieb Eugene M. Zheganin:> Hi. > > I'm moving some of my geli installation to a new machine. On an old > machine it was running UFS. I use ZFS on a new machine, but I don't have > an encrypted main pool (and I don't want to), so I'm kinda considering a > way where I will make a zpool on a zvol encrypted by geli. Would it be > completely insane (should I use UFS instead ?) or would it be still > valid ?I have configured a system in just that way, a few weeks ago. It seems to work just fine. This is a workgroup server for a small company, which is meant to provide secure storage for documents. The system has a separate boot/root pool and a large pool for data (both as ZFS mirrors). On the data pool there is a ZVOL which is GELI encrypted to provide a "disk" for the encrypted ZFS that holds the documents. The system is running headless in some datacenter. It must boot multi-user and start a SSHD for remote entry of the passphrase, therefore solutions where a GELI key is on a USB key or entered via a console during boot were not possible. Performance is reasonable and far exceeds the 100Mbit/s Ethernet port ordered in the data-center, so I did not bother to measure throughput of this ZFS on GELI encrypted ZPOOL. For low load scenarios, this seems to be the easiest configuration. If you have hardware crypto or expect high load, then a ZFS mirror of GELI encrypted disks may show better performance, though. Regards, STefan
On 22-07-2013 10:04, Eugene M. Zheganin wrote:> Hi. > > I'm moving some of my geli installation to a new machine. On an old > machine it was running UFS. I use ZFS on a new machine, but I don't have > an encrypted main pool (and I don't want to), so I'm kinda considering a > way where I will make a zpool on a zvol encrypted by geli. Would it be > completely insane (should I use UFS instead ?) or would it be still > valid ?Hello, I've used this setup for a while on several servers, it works but it is slow. I am migrating my servers to have two zpools instead, a small one with the base system and nothing else, the other one on top of a geli device. This performs much better and is IMO a better solution. YMMV :) I have this method documented on my wiki here: http://wiki.tyk.nu/index.php?title=Ezjail_host#Further_disk_configuration Best regards, Thomas Steen Rasmussen
On Mon, 22 Jul 2013 10:04:19 +0200, Eugene M. Zheganin <emz at norma.perm.ru> wrote:> Hi. > > I'm moving some of my geli installation to a new machine. On an old > machine it was running UFS. I use ZFS on a new machine, but I don't have > an encrypted main pool (and I don't want to), so I'm kinda considering a > way where I will make a zpool on a zvol encrypted by geli. Would it be > completely insane (should I use UFS instead ?) or would it be still > valid ? > > Thanks. > Eugene.I think that depends on your configuration and situation. If you have a spare disk to use for GELI+UFS. That is more simple to configure/maintain. But if you are running a big fileserver than the overhead of ZFS+GELI+UFS might be negligible. Ronald.