This means that the zpool itself is providing redundancy and data recovery in the vent of corruption, but I've lost access to some nice features like compression and de-duplication (since the encryption would make them pointless).
Now I know the recommendation is to encrypt the underlying devices first, then create the zpool from the unlocked devices afterwards, but I didn't really want to do this as it would double the number of devices (one for each physical disk, plus one for each unlocked core storage device) and I'm not sure how much benefit I would have gotten from compression and de-duplication anyway.
But it got me thinking about a nested setup, and whether that would be a possible alternative. The idea is fairly simple; first I would create a zpool of all my physical devices, make a zvol and encrypt it with Core Storage (or dcrypt or whatever). But could I then use the unlocked device in another zpool to implement the other features I want?
For example, the setup might like something like:
- Code: Select all
* zpool tank (5tb)
* zvol tank/encrypted (~5tb)
* Core Storage volume Encrypted Disk (~5tb)
* zpool mypool (~5tb)
There may be some advantages to this method too. Firstly, since tank will hold unrecognisable encrypted data then it could use a bigger block size to reduce overhead for the extra checksums (and reduce the amount of checksumming performed), and it also makes sense to add cache devices to this pool, since the data held in them would be encrypted at this stage, so no chance of a cache device exposing anything (or having to add encryption to them first).
Meanwhile, mypool can enable all the nice bonus features like compression and de-duplication while receiving the full benefits, and can focus on caching metadata only (such as the de-duplication table), with a different block-size optimised for the actual data being stored.
Obviously the ideal solution would be to wait until OpenZFS supports ZFS encryption, but there's no ETA on that (not sure if anyone's working on it?). I am a programmer, and I do have some experience with cryptography (including implementing AES on some difficult platforms where it wasn't supported) but I don't do a lot of low-level stuff, so a file-system/volume manager is a bit out of my comfort zone; I may give it a look if I get a chance though.
Anyway, I just wanted to know if anyone's experimented with anything like this before? Also, when using multiple zpools, is the RAM allocation for ARC shared, or does each pool get its own allocation? The main problem with what I'm thinking would be if they are separate, as I'd then have to figure out how to split RAM for best results.