# Advice for LVM + encryption choice



## Blackbird (Aug 3, 2010)

I want to re-setup my workstation on LVM, because I don't want to worry about full partitions and remaining disk space any more.
And I want to encrypt some partitions, too. These partitions should be resizeable as well.

That is it, I'm looking for the most solid solution to do this.
I have a second hard disk on which I will make backup every week, but the encrypted data backups must be encrypted as well.
But mustn't be in a LVM, of course.

So, which LVM (ZFS, Gvinum, ...?) and which encryption tool (GBDE, geli, ZFS native?) would you advise me to choose? Remember, the main point is the reliability.


----------



## daemotron (Aug 3, 2010)

Here's an example how ZFS can be used on top of a geli-encrypted disk: http://blog.experimentalworks.net/2008/03/setting-up-an-encrypted-zfs-with-freebsd/. Frankly speaking, I do not consider this setup elegant or advisable, but it seems to work at least. I have no experience in using gvinum, but it should be far easiest to combine gvinum with geli to obtain encrypted LVM volumes. All other combinations (particularly those where ZFS is involved) will be far more complicated, show tricky behaviour at boot time, etc. Please don't get it wrong, if you'd just asked for a LVM alone, I'd have recommended ZFS.

HTH


----------



## Blackbird (Aug 6, 2010)

Ok, you say gvinum + geli would be the best solution... why?

And please, I need yet another statement.


----------



## aragon (Aug 6, 2010)

Mmm, if I'm like most BSD guys, we avoid those penguiny volume managers like the plague.  All I know is that gmirror(8) rocks the socks off Linux's equivalent IMHO.


----------



## Blackbird (Aug 7, 2010)

Ehh??! Neither do I talk about anything to do with Linux, nor did I ask for a RAID configuration utility.
As I said, I want an LVM for a dynamic partition scheme.


----------



## aragon (Aug 7, 2010)

Oh.  I read LVM to be the linux-specific term, sorry.

Considering you only want to encrypt certain parts of your data, it might be easier to run ZFS natively on your disks and create file backed (vnode) md(4) devices inside whichever ZFS volume, to which you attach geli and a UFS file system.


----------



## Blackbird (Aug 7, 2010)

Doesn't sound to me like a clean, durable and solid solution. :stud


----------



## aragon (Aug 7, 2010)

Works for me.  Makes it easy to backup my encrypted file systems as is - just one file I can rsync to another drive or off-site.


----------



## Blackbird (Aug 7, 2010)

Hm yes. Do you know when ZFS will get native encryption in it? It was planned for Q1 2010.

Or does it already have? If yes, whith which stability?


----------



## daemotron (Aug 7, 2010)

ZFS has no encryption build in yet. The project is still under development (see http://hub.opensolaris.org/bin/view/Project+zfs-crypto/WebHome). There are still "some" bugs to be fixed: http://bugs.opensolaris.org/bugdatabase/search.do;keyword=zfs-crypto

I recommended gvinum+geli since it is currently the only solution that's not a kind of bodge-up. Both are based on the GEOM framework, so they are stackable by design. Furthermore, most of the vinum code itself is much older than gvinum and really well tested. ZFS on the other hand certainly has the potential to become a natural successor of all the geom stuff, but today, it has not yet reached the same level of reliability, and particularly for your problem, it does not provide a design solution.


----------



## Blackbird (Aug 8, 2010)

Thank you, that sounds good. I think I will give gvinum + geli a try.


----------

