# Last doubts on ZFS and encryption



## luckylinux (Jul 5, 2012)

In the end I think I'll use FreeBSD as the OS for my NAS and not use FreeNAS. FreeBSD is more prontly updated and has a bigger community. I could always use ZFSguru with FreeBSD if I "need" to.
Therefore I'm finally going to install FreeBSD on my home NAS server.

Before I do that I'd like to know some more details: I already got most of my questions answered in this thread.

I still have some questions remaining though:

I didn't really understand the difference between GELI or GBDE, besides the fact that Geli seems to allow accelerated encryption/decryption using AES-NI. I plan on doing full system encryption. Furthermore I plan on fully encrypt my storage pool (located on other physical drives). Which one should work best in this case?
SSH decryption at boot (prompt for password via SSH): I tried this on GNU/Linux once but it didn't work at all. Is it supported on FreeBSD or can I make it?
System partitioning scheme. I think there are more than a hundred variants here (like on GNU/Linux) but which one's would be "good enough" for a beginner? Personally on GNU/Linux I never had to do separate sub-folders (i.e. /var/*, except on Gentoo for in-RAM compiling): only used /boot, /, /home, /usr and (depending on the system) /var and /tmp. The problem I always ran into at a certain point is that a partition became full. Therefore I began using LVM, but with ZFS that's kind of "integrated" AFAIK. How would the partitioning scheme affect the ZFS snapshots feacture (like: do I have to do a snapshot for each partition)
 *EDIT*: can you add L2ARC (cache) / ZIL (log) devices later on or do you have to set them up right from the start?

Thank you very much in advance for any clarification on the subject.


----------



## throAU (Jul 6, 2012)

I'll answer what I can

3.  Partitioning:  not so important with ZFS, as you have a big pool that is shared between the various traditional mount points.  You may want to read up on ZFS pools and ZFS filesystems, and the relationship between them.  Basically your ZFS pool will reside on one partition per disk (or even the whole disk) and the "partitions" (ZFS filesystems) for /usr etc. are dynamically allocated out of that pool.

4.  Pretty sure you can add L2ARC / ZIL after pool creation.

If the box is going to be for storage only, I'd certainly consider FreeNAS.  I'm running 8.0.4 at home and the installer/gui is very slick.  I'd even go so far as to say worthy of comparison to the Netapp FAS2240 I have at work.  It also makes installing to USB stick very very simple which means you can keep your data separate from your OS, which is nice.  I'm just not sure if it supports encryption in the current release.

8.2 (in beta) will add support for modules - allowing you to run a torrent server, DLNA server, etc. on it.

If you do decide to use FreeBSD - the PC-BSD installer will allow you to install "FreeBSD" onto a ZFS setup with the GUI.  Doing so with the FreeBSD installer is not possible at the moment, you need to install via command line if you want root on ZFS.


My final recommendation would be this:  Download Virtualbox and play with FreeBSD + ZFS in that before building your live system.  ZFS is very different from traditional filesystems and you could quite easily shoot yourself in the foot if you set it up wrong, or go about maintaining it incorrectly.  A lot of the concepts you know from other operating systems or filesystems do not necessarily apply.


----------



## luckylinux (Jul 6, 2012)

Thank you for your answer throAU.
I'm hesitant to use FreeNAS because I heard there were issues of loss of data with the latest version. Furthermore I may be interested to install some backup service for my other computers (though in the end I may as well do that on another computer): not so sure right now.


			
				&quot said:
			
		

> My final recommendation would be this: Download Virtualbox and play with FreeBSD + ZFS in that before building your live system. ZFS is very different from traditional filesystems and you could quite easily shoot yourself in the foot if you set it up wrong, or go about maintaining it incorrectly. A lot of the concepts you know from other operating systems or filesystems do not necessarily apply.


Nice suggestion. The biggest issue I have currently is how to cope with GELI + ZFS. I'm having a similar problem with mdadm + LVM + EXT4 on GNU/Linux and - as you said - I already shoot myself in the foot more than once before beginning to understand it.


----------



## xibo (Jul 6, 2012)

> 2. SSH decryption at boot (prompt for password via SSH): I tried this on GNU/Linux once but it didn't work at all. Is it supported on FreeBSD or can I make it?


No. If you put root on a GELI devide, you would initialize that device with -b option to geli(8) which implies the bootup proccess would prompt for the key before mounting root (and especially before parsing /etc/rc.conf where network configuration is stored in).
You can try booting the box with RS-232 terminal redirection or use IPMI with iKVM to remotely provide the key during boot, if your NAS provides those interfaces. Alternatively you can put the OS (including /var and /tmp) on an unencrypted device and initiallize the main storage after full system startup (including sshd/telnetd/whatever)


----------



## luckylinux (Jul 6, 2012)

xibo said:
			
		

> You can try booting the box with RS-232 terminal redirection or use IPMI with iKVM to remotely provide the key during boot, if your NAS provides those interfaces. Alternatively you can put the OS (including /var and /tmp) on an unencrypted device and initiallize the main storage after full system startup (including sshd/telnetd/whatever)


The idea seems good. IPMI would need something like a Supermicro / Intel server grade motherboard (currently I have an ASUS desktop grade motherboard) - however I could buy a Supermicro board but I'd like to see if I can avoid that (at least for now).
I think iKVM is the ASUS' technology to what IPMI is for Supermicro / Intel.

KVM over IP would work too I suppose (since it basically transfers the console to a network-connected computer), however I would need additional hardware for that. Any suggestion on this aspect? The only ones I can find here are > 600$.

Isn't there some kind of addon card or something like that?

And do you know of some how-to for unencrypted (minimal) device + encrypted most of the system? Thank you.


----------

