SOLVED System dataset on sliced HDDs or in an encrypted pool - what is less dangerous?

What to do with the system dataset in case of encryption?

  • Keep it together with/in the encrypted pool

    Votes: 0 0.0%
  • Slice the HDDs and do not encrypt the system dataset

    Votes: 0 0.0%
  • Place it on boot pendrives/SD cards

    Votes: 0 0.0%
  • Go LUKS + ZoL and OMV

    Votes: 0 0.0%

  • Total voters
    0
Status
Not open for further replies.

pro lamer

Guru
Joined
Feb 16, 2018
Messages
626
Hi!

I am planning to have a mirror of 6TB HDDs for user data plus a pre-backup pool plus two spare SATA ports for external disks backup. I am planning to encrypt my data. Boot planned: mirrored pendrives/sd cards.

I've read a bit about risk related to encrypting and I am not very happy :/

Would I gain any way if my system dataset would be not encrypted (but instead having the HDDs sliced) in case of the encrypted pool failure? (comparing to having the system dataset together with the encrypted data and no slicing - EDIT: oops, I've learned it might not be possible - I'll read more to check if I can learn it by myself)

In other words: I am considering an alternative, also not recommended, solution (alternative to storing the system dataset together with the rest of the encrypted data, if it's still possible in current FreeNAS version) :
create a pool using partitions, then import it in the GUI. I'm hesitant to give more detail, because that might imply I think this a good idea.
slice both the HDDs into two slices each and dedicate the smaller slices pair to a pool holding only/mainly the system dataset and the bigger slices pair to an encrypted storage pool...

Which of them is less problematic/dangerous/risky/troublesome...?

I am assuming I need the system dataset somewhere else than the boot pendrives to avoid quick wear...
And I prefer not to have more HDDs yet/so far/for now - until my data needs grow...
 
Last edited:

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,977
Well if your pool isn't available your system dataset won't be of much use to you so I'd put it on your pool.

Do you need encryption? Is it a requirement or just something you want to do? I would strongly advise against it unless you a required to have it for some reason (law, company policy).
 

pro lamer

Guru
Joined
Feb 16, 2018
Messages
626
if your pool isn't available your system dataset won't be of much use to you
Could I access the other pools without the system dataset? Pools:
plus a pre-backup pool plus two spare SATA ports for external disks backup
(encrypted as well)

And I guess I may like to view the logs etc stored in the system dataset especially in case of a failure.

Moreover I've just read some part of the manual and I guess the system dataset cannot be moved from the boot pool to any encrypted pool because encrypted pools are not selectable in GUI and I guess the system dataset is initially placed in the boot pool (?) Are these true? A command line workaround would be an option. EDITED: but I guess I wouldn't like it anyway - at best I would need to provide password at each boot I guess. That might not be true. I don't know yet what way it works. Thus I need to do more reading to learn that and what other choices are... Thus marking the thread as SOLVED temporarily, until I learn more
Do you need encryption? Is it a requirement or just something you want to do?
Something I want to do. EDITED, cos seems a candidate for other thread: Long story short: ease of use - less passwords to remember for the users, less backup tools to learn: just all the pros of ZFS replication and snapshots and snapshots replication, no need to deal with additional encryption containers, extracting individual files from them for automatic snapshots or replication (EDIT: I am assuming a veracrypt/truecrypt container cannot be synced incrementally because I think that a single file/block write to an encrypted container might cause lots of changes to the container file thus generating a big snapshot - I might be wrong here because COW is block-based but I still haven't found a direct answer using STFW method... :-( Only found some "it's been already answered" and "it depends but I don't know more" type posts :-/ ).

EDIT: I've just thought I may create a non-encrypted iscsi target, "mount it" in linux in a bhyve VM and encrypt it with LUKS and then share to Windows laptops or jails. But I would loose snapshots feature and performance I guess. I wouldn't loose snapshots in such a crazy setup: (bottom-up)

  1. FreeNAS
  2. Mirror pool
  3. Dataset and a zvol - dataset for not encrypted data and the zvol for:
  4. Zvol as an iSCSI target
  5. Linux in bhyve as initiator
  6. LUKS
  7. (Assuming that a Snapshot aware filesystem cannot be mounted back to FreeNAS) iscsi target again
  8. FreeNAS as an initiator
  9. A pool built in some hack-way on top of that iSCSI volume
  10. That pool exposed to clients and for automatic snapshots and replication
If this crazy scenario worked I would loose performance at least I guess :/ (EDIT: and reliability - I've come across some posts complaining about some problems with VMs over zvols :-( )
 
Last edited:
Status
Not open for further replies.
Top