Editing Encryption
Warning: You are not logged in.
Your IP address will be recorded in this page's edit history.The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
+ | == Core Storage encryption == | ||
− | + | Although upstream OpenZFS has a "project" to work on [http://open-zfs.org/wiki/Projects#Platform_agnostic_encryption_support platform-agnostic encryption support] at the ZFS dataset level, we have an obvious solution to block-level encryption already at hand: AES-XTS (Core Storage/FileVault 2). | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
This is the OS X analogue of the following block-level encryption systems on other operating systems that support ZFS: | This is the OS X analogue of the following block-level encryption systems on other operating systems that support ZFS: | ||
Line 40: | Line 13: | ||
=== Caveats === | === Caveats === | ||
− | + | As noted in the article [[suppressing the annoying pop-up]], you will receive a pop-up claiming the disk isn't readable by this computer. | |
+ | This is a well documented problem, see the article above. It does however lead to one step that can be confusing: when unlocking the disk (e.g. on startup), the "bug" will make OS X believe the disk wasn't unlocked, and thus "wiggle," presenting the prompt again. | ||
− | + | Take it on faith that once you've unlocked the disk, you can safely close the dialog box (with "Cancel"). You can verify this with your pool's availability. | |
=== Steps === | === Steps === | ||
Line 75: | Line 49: | ||
Finished CoreStorage operation on disk1s2 Internal HD | Finished CoreStorage operation on disk1s2 Internal HD | ||
− | Note that we converted the existing unencrypted HFS | + | Note that we converted the existing unencrypted HFS partition. |
Next, we encrypt the logical volume, our Core Storage disk, disk2: | Next, we encrypt the logical volume, our Core Storage disk, disk2: | ||
− | |||
− | |||
# diskutil coreStorage encryptVolume /dev/disk2 | # diskutil coreStorage encryptVolume /dev/disk2 | ||
Line 93: | Line 65: | ||
This can and will take a while to complete. You can check the status by issuing: | This can and will take a while to complete. You can check the status by issuing: | ||
− | # diskutil coreStorage list | grep Conversion | + | # diskutil coreStorage list | grep "Conversion Progress" |
Until it's done: | Until it's done: | ||
− | |||
Conversion Progress: -none- | Conversion Progress: -none- | ||
Line 117: | Line 88: | ||
0: Apple_HFS *999.5 GB disk2 | 0: Apple_HFS *999.5 GB disk2 | ||
− | disk2 being our encrypted, unlocked HFS | + | disk2 being our encrypted, unlocked HFS device. If you have yet to be prompted for the passphrase by OS X, now would be a good time to restart your Mac and try it out. |
Lastly, we'll prepare the volume for ZFS, by unmounting /dev/disk2: | Lastly, we'll prepare the volume for ZFS, by unmounting /dev/disk2: | ||
Line 126: | Line 97: | ||
# diskutil unmount "/Volumes/Internal HD" | # diskutil unmount "/Volumes/Internal HD" | ||
− | You can now | + | You can now proceed with [[Zpool#Creating_a_pool]] or standard ZFS manuals. |
− | + | === For illustration purpose === | |
# zpool list | # zpool list | ||
no pools available | no pools available | ||
Line 134: | Line 105: | ||
# zpool list | # zpool list | ||
ZFS_VOLUME 928G 20.8G 907G 2% 1.00x ONLINE - | ZFS_VOLUME 928G 20.8G 907G 2% 1.00x ONLINE - | ||
− | |||
− | |||
− | === Reason | + | |
+ | === Reason for "use latest" === | ||
+ | This commit is potentially vital: | ||
+ | e795742 ilovezfs: Make the check for Core Storage LV more forgiving. | ||
+ | |||
<syntaxhighlight lang="text"> | <syntaxhighlight lang="text"> | ||
<ilovezfs> If you want encryption you have a few options | <ilovezfs> If you want encryption you have a few options | ||
Line 171: | Line 144: | ||
<ilovezfs> The reason not to use the installer version, is that it will attempt to | <ilovezfs> The reason not to use the installer version, is that it will attempt to | ||
partition the Core Storage Logical Volume. | partition the Core Storage Logical Volume. | ||
− | <ilovezfs> But since 10.8.5 and after, Apple doesn't like that | + | <ilovezfs> But since 10.8.5 and after, Apple doesn't like that. |
− | <ilovezfs> | + | <ilovezfs> So we added new code to detect Core Storage and not partition if it sees it's |
Core Storage. | Core Storage. | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | === Time Machine backups === | ||
+ | As a follow-up, here's one approach to using ZFS for your Time Machine Backups: | ||
+ | |||
+ | While it has been discussed in heated arguments, e.g. https://github.com/openzfsonosx/zfs/issues/66, I still believe there's at least one ZFS feature I'd like to test with Time Machine: compression. | ||
+ | |||
+ | The hypothesis being: | ||
+ | an HFS+ sparsebundle stored on a compressed (gzip, lz4), deduped dataset should | ||
+ | yield a compression ratio > 1.0. | ||
+ | (previously observed 1.4 with compression=on, dedup=off, FreeBSD network Time Machine drives). | ||
+ | |||
+ | To work around compatible disks for Time Machine, we create an HFS+ bundle, store it on ZFS and set the mounted image as a backup destination, no "TMShowUnsupportedNetworkVolumes" needed. | ||
+ | |||
+ | 1. Create, and mount, a sparse bundle from your zfs filesystem, e.g. with makeImage.sh | ||
+ | |||
+ | 2. Set your sparse bundle as the (active) backup destination # tmutil setdestination -a /Volumes/Time\ Machine\ Backups |