# ZFS and RaidZ: partial or full disc encryption?



## donduq (Dec 15, 2012)

I searched through the forums and the Internet and found many valuable clues, but I need your advice on just a few more things before I'm ready to start working on this project.

I'm about to play with a machine with an Intel Q6600 (quad core) CPU, 7G RAM (DDR2) and six hard discs.

The CPU has no AES acceleration, so am I right to assume it's better to encrypt what actually needs to be encrypted, as opposed to going with full disc encryption?

If the answer is 'yes', then does this mean I must make two zpools: one for the OS and one for the storage? I hope not because in that case I need to plan beforehand how much space I need to allocate with gpart.

What would you advice me to do?


----------



## bbzz (Dec 15, 2012)

You are asking the wrong questions. 
The main question is, do you have data that needs to be encrypted? Performance only comes second if the main issue is security.

As for other question; you can have one pool for both system and data. If you decide to encrypt whole disks, you need to leave small portion of unencrypted space to boot from. Or just use small flash drive for main system.


----------



## donduq (Dec 15, 2012)

bbzz said:
			
		

> You are asking the wrong questions.
> The main question is, do you have data that needs to be encrypted? Performance only comes second if the main issue is security.



Yes, I do have data that needs to be stored with encryption.



			
				bbzz said:
			
		

> As for other question; you can have one pool for both system and data. If you decide to encrypt whole disks, you need to leave small portion of unencrypted space to boot from. Or just use small flash drive for main system.



I realise. What I'm saying is that I don't see the need to encrypt the entire system, I'd be OK with only encrypting what needs to be encrypted rather than the entire system.

Let's say I only want to encrypt /home. Can this only be done if I make /home a separate zpool?


----------



## _martin (Dec 15, 2012)

Also check these ZFS best practices. Specially pay attention how many disks you'll put into raidz (_RAIDZ Configuration Requirements and Recommendations_ part of the docs).


----------



## bbzz (Dec 15, 2012)

donduq said:
			
		

> Let's say I only want to encrypt /home. Can this only be done if I make /home a separate zpool?



Yes, because geli is underlying disk encryption, and you feed it like that to zpool. You can't do this per filesystem.


----------



## bbzz (Dec 15, 2012)

As a side note, do not make RaidZ with 6 disks. Raidz2 is a possibility; One of my servers has no-AES CPU with 6 disks in mirror configuration. Resilvering/scrubbing is much less intensive compared to RaidZ2. Just something to think about.


----------



## donduq (Dec 15, 2012)

matoatlantis said:
			
		

> Also check these ZFS best practices. Specially pay attention how many disks you'll put into raidz (_RAIDZ Configuration Requirements and Recommendations_ part of the docs).



Thanks for that doc. My own consideration falls in line with this citation:



> Start a double-parity RAIDZ (raidz2) configuration at 6 disks (4+2)



In my case there are 6 1TB discs = approximately 4TB. So, the plan, for now, is to use 500G without encryption = 125G per disc.

Did I overlook and/or do I need to consider anything else?

(Note to self: read that ZFS guide at least twice :stud)


----------



## donduq (Dec 15, 2012)

bbzz said:
			
		

> As a side note, do not make RaidZ with 6 disks. Raidz2 is a possibility; One of my servers has no-AES CPU with 6 disks in mirror configuration. Resilvering/scrubbing is much less intensive compared to RaidZ2. Just something to think about.



Okay, got it. This shows how new I am to this side of FreeBSD...


----------



## _martin (Dec 15, 2012)

But as you are still in a planning stage, it might be worth it to do some experiments. Install FreeBSD on fully encrypted raidz2 pool (4+2P) and do some tests. You might be satisfied with the performance and leave it fully encrypted.

Also note you might be hitting bottleneck on the motherboard anyway (depending on your setup, speed of disks, etc. ).


----------

