I have been trying to decide how I want to use encryption with respect to ZEVO. Here are my possible options so far:
1. Core Storage. I have seen the posts about HFS+ global locks on metadata.
a) Does this metadata lock issue come into play if you've given an entire external disk to Core Storage, and only have ZEVO volumes managed and encrypted by Core Storage with no HFS+ volumes given to Core Storage?
b) And if there are HFS+ volumes under Core Storage in addition to the ZEVO volumes, is the metadata lock issue resolved by just keeping the HFS+ partitions unmounted?
c) Or is there no way to escape the metadata lock issue if you're using Core Storage?
d) This seems like the best, most straightforward option, if the metadata issue can be resolved. The biggest downside is that this is the least cross-platform friendly solution. libfvde is in its infancy, so the only way to get at your data from another platform is through networking or virtualization (OS X can run under VMware, only legally if run on a Bootcamp partition on a Mac).
2. Truecrypt file volume, hosted in a zpool.
a) My concern here is that the Truecrypt website cautions that it can be a bad idea to use Truecrypt file volumes on a journaled filesystem (let alone ZEVO). The possible security hole is that even if you change passwords and/or keyfiles, remnants of the old header may be recoverable such that an old, compromised password could be used to unlock the volume. Also, defragmenting a Truecrypt file volume stored on a journaled filesystem can cause unencrypted data to end up outside of the volume.
b) Is it a bad idea to format the Truecrypt file volume itself as ZFS? So I would have a ZFS filesystem inside the Truecrypt volume and ZFS for the filesystem hosting the Truecrypt volume.
c) This works cross platform. I have been able to interact just fine with Truecrypt file volumes that I have formatted with ZEVO. This is possible with the new "ZFS on Linux" implementation that the Energy Department wisely invested in at Lawrence Livermore National Laboratory. Environment: Ubuntu under VMware. The magic to make this work easily was a tool called kpartx. I can explain further if anyone is interested.
3. Truecrypt file volume, internally controlled by ZEVO, stored on an exFAT filesystem (or non-journaled HFS, or...).
a) This attempts to avoid the potential security problems of accessing Truecrypt file volumes stored on a journaled filesystem.
b) How much does this compromise ZEVO's ability to maintain data integrity? (ZEVO "add" and "attach" both work fine between two Truecrypt volumes.)
c) How much does this compromise ZEVO's ability to withstand hardware interruptions/failures?
4. VDI file, containing a ZEVO filesystem (as in #2) or containing an ExFat filesystem (as in #3), with a Truecrypt file volume stored on that filesystem. Internally the Truecrypt volume itself could be ZFS or ExFat. The VDI file itself could be on a ZEVO filesystem or not.
a) This may seem complicated, but it is actually easy to mount a VDI file (fixed size only) on OS X. hdid works wonders.
https://web.ivy.net/carton/rant/virtual ... iutil.html
b) And of course the VDI file can be attached to a VirtualBox virtual machine (or converted to a vmdk and attached to a VMware virtual machine).
c) Under both OS X and Ubuntu I have successfully interacted with a ZEVO filesystem inside a Truecrypt file volume, itself stored in the ZEVO filesystem (or ExFat filesystem) of the VDI file, itself on the Mac's HFS+ filesystem.
5. Give up and use ReFS with BitLocker under Windows Server 2012.
6. Give up and use Oracle Solaris 11 with native ZFS encryption.
7. Give up and use FreeBSD with geli with ZFS.
8. Give up and use BTRFS or "ZFS on Linux" with dm-crypt under Ubuntu.
Of course 5 through 8 would require virtualization or an external server, and would relegate ZEVO to dealing with unencrypted data only.
9. Another solution. Suggestions?
Thank you for ZEVO.