From OpenZFS on OS X
Revision as of 14:43, 7 May 2014 by Aandy (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Using OSX AES-XTS encryption along with ZFS

While work is made on ZFS 30, we have an obvious solution to ZFS encryption already at hand: AES-XTS (10.7+ Full Disk Encryption in FileVault2). This is the equivalent of the following methods for other OS's: e.g. FreeBSD/geli, and Linux/LUKS.

The overall procedure is as follows: with an existing or fresh HFS+ disk apply full disk encryption. this will create a logical volume (when unlocked/decrypted) which in turn is used (repeat: the new logical volume) to create a ZFS pool.


Build ZFS from source: Install#Installing_from_source, or wait for the next installer, Downloads, newer than 1.2.0 (for explanation, see original IRC chat).


The initial layout, with disk1 being the external disk (counter-intuitively named "Internal HD") intended as encrypted ZFS device.

# diskutil list
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *160.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            159.7 GB   disk0s2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk1
   1:                        EFI EFI                     209.7 MB   disk1s1
   2:                  Apple_HFS Internal HD             999.9 GB   disk1s2

We note that disk1s2 is the partition to be encrypted, and we convert it to CoreStorage (think LVM), to enable encryption:

#  diskutil corestorage convert /dev/disk1s2
Started CoreStorage operation on disk1s2 Internal HD
Resizing disk to fit Core Storage headers
Creating Core Storage Logical Volume Group
Attempting to unmount disk1s2
Switching disk1s2 to Core Storage
Waiting for Logical Volume to appear
Mounting Logical Volume
Core Storage LVG UUID: 4690972A-484E-42E2-B72D-933A58E41237
Core Storage PV UUID: 22A1A783-01BA-4ABA-B4A3-2A9146506519
Core Storage LV UUID: F6D16BFE-B6E9-4A9B-BC03-E5CD03772C44
Core Storage disk: disk2
Finished CoreStorage operation on disk1s2 Internal HD

Note that we converted the existing unencrypted HFS partition.

Next, we encrypt the logical volume, our Core Storage disk, disk2:

# diskutil corestorage encryptVolume /dev/disk2
New passphrase for existing volume:
Confirm new passphrase:
The Core Storage Logical Volume UUID is F6D16BFE-B6E9-4A9B-BC03-E5CD03772C44
Started CoreStorage operation on disk2 Internal HD
Scheduling encryption of Core Storage Logical Volume
Core Storage LV UUID: F6D16BFE-B6E9-4A9B-BC03-E5CD03772C44
Finished CoreStorage operation on disk2 Internal HD

Note that we used disk2, the logical volume, not disk1s2.

This can and will take a while to complete. You can check the status by issuing:

# diskutil cs list | grep "Conversion Progress"
Until it's done: "Conversion Progress: -none-"

Your partition layout should now look like:

# diskutil list
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *160.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            159.7 GB   disk0s2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk1
   1:                        EFI EFI                     209.7 MB   disk1s1
   2:          Apple_CoreStorage                         999.9 GB   disk1s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS                        *999.5 GB   disk2

disk2 being our encrypted, unlocked HFS device. If you have yet to be prompted for the passphrase by OS X, now would be a good time to restart your Mac and try it out.

Lastly, we'll prepare the volume for ZFS, by unmounting /dev/disk2:

# mount
/dev/disk2 on /Volumes/Internal HD (hfs, local, journaled)
# umount "/Volumes/Internal HD"

You can now proceed with Zpool#Creating_a_pool or standard ZFS manuals.

For illustration purpose

# zpool list
no pools available
# zpool create -f -o ashift=12 ZFS_VOLUME /dev/disk2
# zpool list
ZFS_VOLUME    928G  20.8G   907G     2%  1.00x  ONLINE  -

Reason for "use latest"

This commit is potentially vital: e795742 ilovezfs: Make the check for Core Storage LV more forgiving.

Original IRC chat

[14:07] < ilovezfs_> if you want encryption you have a few options
[14:07] < ilovezfs_> https://github.com/zfsrogue/osx-zfs-crypto
[14:07] < lundman> :)
[14:08] < ilovezfs_> or you can do what cbreak-work said, and use an encrypted sparsebundle
[14:08] < ilovezfs_> (I'd give it its own zfs file system)
[14:08] < ilovezfs_> or you can create a zvol, and put an encrypted CoreStorage/Filevault2 HFS+ file system on it
[14:09] < ilovezfs_> or you can put the pool itself on top of CoreStorage
[14:09] < ilovezfs_> The last option you should not do with the installer version.
[14:10] < ilovezfs_> But wait for the next installer if that's the route you want to go
[14:10] < ilovezfs_> or build from source.
[14:10] < aandy> ah, interesting. does filevault2 require hfs+? not that it'd surprise me
[14:11] < ilovezfs_> no it does not
[14:11] < ilovezfs_> but it is not possible to set other Content Hints
[14:11] < ilovezfs_> so it will always say HFS+ even if you do put ZFS on your logical volumes
[14:13] < ilovezfs_> aandy: so basically the procedure is to format the volume HFS+
[14:13] *** ottmarklaas [~ottmarkla@cpe-67-248-51-197.nycap.res.rr.com] has quit [Quit: ottmarklaas]
[14:13] < ilovezfs_> aandy: then run 'diskutil corestorage convert' on it
[14:13] < ilovezfs_> then you can encrypt it
[14:14] < ilovezfs_> then you unmount the HFS+
[14:14] < ilovezfs_> and zpool create on the logical volume.
[14:14] < ilovezfs_> And you should be good to go.
[14:14] < aandy> on the original HFS+ partition, right?
[14:14] < ilovezfs_> right
[14:14] < ilovezfs_> but id encrypt first
[14:14] < ilovezfs_> then put zfs on
[14:14] < aandy> right. perfect
[14:15] < ilovezfs_> diskutil cs convert...
[14:15] < ilovezfs_> diskutil cs encryptVolume ...
[14:15] < ilovezfs_> etc.
[14:16] < ilovezfs_> The reason not to use the installer version, is that it will attempt to partition the Core  Storage Logical Volume.
[14:16] < ilovezfs_> But since 10.8.5 and after, Apple doesn't like that.
[14:16] < ilovezfs_> So we added new code to detect Core Storage and not partition if it sees it's Core Storage.

Time Machine Backups

As a follow-up, here's one approach to using ZFS for your Time Machine Backups:

While it has been discussed in heated arguments, e.g. https://github.com/openzfsonosx/zfs/issues/66, I still believe there's at least one ZFS feature I'd like to test with Time Machine: compression.

The hypothesis being:

a HFS+ sparse bundle stored on a compressed (gzip, lz4), deduped dataset should
yield a compression ratio > 1.0.
(previously observed 1.4 with compression=on, dedup=off, FreeBSD network Time Machine drives).

To work around compatible disks for Time Machine, we create a HFS+ bundle, store it on ZFS and set the mounted image as a backup destination, no "TMShowUnsupportedNetworkVolumes" needed.

1. Create, and mount, a sparse bundle from your zfs filesystem, e.g. with makeImage.sh 2. Set your sparse bundle as the (active) backup destination # tmutil setdestination -a /Volumes/Time\ Machine\ Backups