Jump to content

- - - - -

Encrypted ZFS Backups

  • Please log in to reply
No replies to this topic

#1 lattera


    Underground Shizzleness

  • Members
  • 511 posts
  • Gender:Male

Posted 28 April 2010 - 08:41 PM

One of OpenSolaris's heralding features is a next-gen filesystem called ZFS. Managing ZFS backups could not be easier. All you need to run is zfs snapshot tank/dataset@backup. If you want to replicate or store that snapshot on another machine, you can run zfs send tank/dataset@backup > backup.zfs.

I'll be demoing how to use GPG2 to encrypt ZFS backups created with zfs send. Here's the commands I used to do it:

root@shawn-desktop:~# chmod A+user:shawn:full_set:fd:allow /datumz/
root@shawn-desktop:~# logout
shawn@shawn-desktop:~$ zfs create datumz/demo
shawn@shawn-desktop:~$ echo "this is a test" > /datumz/demo/testfile
shawn@shawn-desktop:~$ zfs snapshot datumz/demo@backup
shawn@shawn-desktop:~$ zfs send datumz/demo@backup | gpg2 -e -r "Shawn Webb" -o datumz_demo\@backup.zfs.gpg
Warning: using insecure memory!
shawn@shawn-desktop:~$ zfs destroy -r datumz/demo
shawn@shawn-desktop:~$ gpg2 -d datumz_demo\@backup.zfs.gpg | zfs recv datumz/demo
Warning: using insecure memory!
You need a passphrase to unlock the secret key for
user: "Shawn Webb "
4096-bit RSA key, ID F751C7BB, created 2010-04-27 (main key ID 5B242D25)
can't connect to `/home/shawn/.gnupg/S.gpg-agent': No such file or directory
Warning: using insecure memory!
gpg: encrypted with 4096-bit RSA key, ID F751C7BB, created 2010-04-27
"Shawn Webb "
shawn@shawn-desktop:~$ ls /datumz/demo/

So you can see how easy it is to manage and create snapshots and backups of ZFS datasets. I love that the backup files are never stored in plaintext. They're stored encrypted.

Originally posted on my tech blog

BinRev is hosted by the great people at Lunarpages!