# Encrypted ZFS file server running on a live CD



## FreeDomBSD (Oct 27, 2013)

Is it possible to have an ZFS running on top of an encrypted drive from a custom live cd? 

Idea is to plug in my read-only storage media as a boot media for any PC to which I attach my USB external storage array.

I'd like to know if ZFS needs to "remember" things. I would not want to loose access to my data on the external array because the OS could not record changes from RAM onto OS drive.

I'm having a hard time formulating my question because I do not understand how ZFS works.


----------



## ApoC (Oct 27, 2013)

Current ZFS implementation does not support encryption. But you can use geli to encrypt underlying device. Nice example of this can be found here:https://www.dan.me.uk/blog/2012/05/06/full-disk-encryption-with-zfs-root-for-freebsd-9-x/


----------



## FreeDomBSD (Oct 27, 2013)

Thanks! I reworded the post!
ï¿½jr


----------



## AdamElteto (Oct 27, 2013)

So to clarify, you want to have a CD (or USB drive, since that is non-volatile as well) you can fire up on any computer, and attach external USB drives as a ZFS array? Allow me to ask you about the practicality: how often would you move the setup? Is it between something like work and home? If you regularly get back to your "main" rig, which I hope has a backup solution, would it not be easier just to have a portable bootable 2.5" HDD? Or a CD/USB drive for the system and the portable 2.5" HDD? I am trying to figure out the usage scenario. Even with a portable ZFS array, I hope you are not planning to have your important files only on that array.


----------



## Oko (Oct 27, 2013)

ApoC said:
			
		

> Current ZFS implementation does not support encryption. But you can use geli to encrypt underlying device. Nice example of this can be found here:https://www.dan.me.uk/blog/2012/05/06/full-disk-encryption-with-zfs-root-for-freebsd-9-x/


Are you 100% sure? I was under the impression (I am not a FreeBSD user at the moment but I am considering it for one of my applications) that ZFSv28, which should be the current ZFS state of art on FreeBSD, supports encryption. If that is not the case and if GELI is the only way, then Oracle's product is superior. That would also fully validate Matt Dillan's decisions. After your post I am almost 100% sure I am going with Hammer and DragonFly.


----------



## FreeDomBSD (Oct 27, 2013)

AdamElteto said:
			
		

> So to clarify, you want to have a CD (or USB drive, since that is non-volatile as well) you can fire up on any computer, and attach external USB drives as a ZFS array?



CD/DVD specifically or a hardware write-protected USB. Non-volatile was not a good choce of words. Read-only media is what I meant.



			
				AdamElteto said:
			
		

> Allow me to ask you about the practicality: how often would you move the setup?


 Rarely.



			
				AdamElteto said:
			
		

> Is it between something like work and home?


 No.



			
				AdamElteto said:
			
		

> If you regularly get back to your "main" rig, which I hope has a backup solution, would it not be easier just to have a portable bootable 2.5" HDD?


 My external array holds 16TB in one compact housing: 4x4TB.


----------



## ApoC (Oct 29, 2013)

Oko said:
			
		

> Are you 100% sure? I was under the impression (I am not a FreeBSD user at the moment but I am considering it for one of my applications) that ZFSv28, which should be the current ZFS state of art on FreeBSD, supports encryption. If that is not the case and if GELI is the only way, then Oracle's product is superior. That would also fully validate Matt Dillan's decisions. After your post I am almost 100% sure I am going with Hammer and DragonFly.



I think native encryption is supported since version 30. Here http://en.wikipedia.org/wiki/ZFS You can see features per ZFS version.


----------



## usdmatt (Oct 29, 2013)

> Are you 100% sure? I was under the impression (I am not a FreeBSD user at the moment but I am considering it for one of my applications) that ZFSv28, which should be the current ZFS state of art on FreeBSD, supports encryption. If that is not the case and if GELI is the only way, then Oracle's product is superior. That would also fully validate Matt Dillan's decisions. After your post I am almost 100% sure I am going with Hammer and DragonFly



No, OpenZFS does not have built-in encryption. v28 is not state-of-the-art in either Solaris (which in on ~v34) or FreeBSD, which has OpenZFS and is using 'feature flags' to implement new features rather than bumping version numbers (this allows multiple separate entities to develop new features in parallel whilst maintaining compatibility).

I'm not sure what the rest of you comment is in aid of - it seems more like flamebait that anything else. You mention it validating Matt Dillon's decision, but as far as I can tell HAMMER doesn't do internal encryption either? All examples I can find suggest that it works just like FreeBSD/ZFS and that an encrypted block device needs to be created first.

HAMMER has some interesting features but it also lacks the integrated volume management/"RAID" system that ZFS has, and possibly most importantly, has had a fraction of the real world production use/testing.

If your project is just running single disks then HAMMER may fit quite well (possibly even performing better), but to suggest that you're going with it 100% because of a feature missing in OpenZFS, that I can find no trace of in HAMMER, seems strange...


----------

