3 Disk ZFS Mirror with 1 Disk Rotated Offsite

[Debounce]

Hi All,

I wanted to run my backup idea through you guys who have been doing this for a while. I have a 3 disk single zfs pool with all 3 disks in mirror configuration. The disks will be using zfs native dataset encryption.

I would like to take 1 of the disks “offline” (using the offline command) and store it offsite for a few months to provide redundancy against physical damage to the server. The offsite disk will be reintroduced to the pool months later and “onlined” into the pool. The disk should resilver when I do this. I would then take one of the two drives which have been running on the server offline and offsite and repeat this process to maintain offsite redundancy.

What are your thoughts on using this method? I understand I can take a snapshot and send it to a drive outside the pool but I would like to rotate through all 3 drives not just keep backups on one drive solely. ZFS sending to an external server is not an option. I also understand connector wear (from swapping drives) is a factor I will have to take into account with this method.

Say if the server burns down, will the offsite disk that is encrypted and belongs to the pool be able to be brought online on a new computer and data accessed?

Will ZFS complain about the offline drive? I would like to monitor the health of the remaining 2 disks in case one of them fails. I supposed I could ignore the offline drive and just check ZFS status of the remaining two.

Thanks for your feedback.

 

[Arwen]

You want to use the ZFS pool command split as simply off-lining a sub-mirror is less than ideal. The split command supports multiple Mirrored vDevs, though in your simpler case not relevant. This does cause the disk to perform a full re-silver unlike your off-lining method. This should also cover the case of bringing the 3rd disk on-line as it's own encrypted pool or datasets.

Another option is to have 4 disks. So you always have at least 1 disk offsite. You rotate through all 4, bringing back the oldest from offsite to update. That makes a better backup because if something happens during the 3 way mirror, (lightning strike, etc...), you still have your most recent 1 disk off site as a real backup.

On the subject of encryption, make SURE you have the passphrase and or keys stored in a way that is usable. We have seen a few people create their own (unrecoverable) ransomware pools because of this.

 

[rvassar]

@Arwen has covered most of it. All I have to add is... What you're referring to is a "broken mirror backup". Yes they can be made to work, and they can save you from disaster. But I would offer they kind of belong to history at this point. In the ZFS world they're simply not necessary. Drop your third drive in a hot swap cage, create a pool on it. Set up a ZFS replication task, and let "zfs send" work it's magic. Since it's only for backup, and faults can be managed, you can even use a USB enclosure to manage your connector wear. You can easily implement the suggested 4th drive to the rotation as well, and script up steps to quiesce databases, so you get a consistent snapshot, etc... Added bonus, the pools can have different encryption status & passwords, so compromise of one does not compromise the other.

 

[Debounce]

Thanks @Arwen and @rvassar for your replies. They were very helpful. I looked into using the ZFS split command and I can now see it is what I need to do for my application. Also, good point on the 4th drive. The reason for the rotation is that for this application the drives need to be rotated to keep wear even (it's a concern). So having one drive solely for backup is not preferred vs rotating between all of them as a broken mirror.

Much thanks!