Author: Roy Samson
This blog post is about setting up the Zettabyte File System (ZFS) with two security topics in the configuration in mind:
- Setup a ZFS pool with RAID-1 configuration to prevent data loss when one of the two physical disks fail (Availability);
- Setup an encrypted ZFS dataset on the ZFS pool to protect against unauthorized access (Confidentiality).
To understand the commands used in this blog first some context about the hierarchy of storage levels within ZFS, which should help to better understand what the commands are actually doing:
- Physical harddisks;
- Pool, this is the level on which RAID (Redundant Array of Independent Disks) configuration is defined and the encryption feature for that dataset needs to be enabled. The ‘zpool’ command is used for managing the pool;
- Dataset, a dataset can be a file system or a volume (zvol/ virtual block device). There are options, an unencrypted or an encrypted ZFS dataset. A file system dataset is used for storing files and a volume dataset is used for storing virtual machines and/ or containers. The ‘zfs’ command is used for managing the datasets;
- Files and folders, the file system as available to end users for storing files and folders.
1) Create a RAID-1 pool:
#zpool create -f -o ashift=12 zpool mirror sda sdb -m /zpool
2) Enable the encryption feature for the pool:
#zpool set feature@encryption=enabled
3)Create an unencrypted ZFS dataset/ filesystem
#zfs create zpool/data
4) Create an encrypted ZFS dataset/ filesystem
#zfs create -o encryption=on -o keyformat=passphrase zpool/edata
5) Mounting the unencrypted ZFS dataset/ file system
#zfs mount zpool/data
6) Mounting the encrypted ZFS dataset/ file system
A) Load keys:
#zfs load-key zpool/edata
B) Mount:
#zfs mount zpool/edata
Other useful commands:
– List all datasets on your system:
#zfs list
– List basic info of a specific dataset on your system (-r is optional for including child datasets in the output)
#zfs list -r zpool/data
– Show set properties of a specific dataset:
#zfs get all zpool/data
– Set properties of a specific dataset:
#zfs set sharenfs=on zpool/data
Useful command in relationship with using ZFS in combination with Proxmox:
– Create unencrypted ZFS volume dataset for storing virtual machines and/ or containers (volumes (zvol)/ virtual block device):
#zfs create zpool/data/proxmox
#pvesm add zfspool -pool zpool/data/proxmox
– Create an encrypted ZFS volume dataset for storing virtual machines and/ or containers (volumes (zvol)/ virtual block device):
#zfs create -o encryption=on -o keyformat=passphrase zpool/edata/eproxmox
#pvesm add zfspool encrypted_zfs -pool zpool/edata/eproxmox
– In case in Proxmox you use /zpool/data/proxmox as storage location for volume datasets and as directory for storing templates. Then for the directory configuration you should change the mkdir parameter to 0. This to prevents failing of booting the datasets, because Proxmox tries to create directories before ZFS file system dataset is loaded otherwhise.
# nano /etc/pve/storage.cfg
Alternative: #pvesm set <STORAGE> –mkdir 0
* <STORAGE> should be replaced with the storage ID you used for the directory
Add SSD cache and log device to the ZFS pool:
– Partition the SSD:
#gdisk /dev/sda
Option ‘O create a new empty GUID partition table’
Choose Option 8300 Linux filesystem
– Add cache and log device to existing pool, zpool in this example:
#zpool add -f zpool log /dev/sda1 cache /dev/sda2