Startseite
Bild
Bild
napp-it SE Solaris/Illumos Edition
  • ohne Support frei nutzbar
  • kommerzielle Nutzung erlaubt
  • kein Speicherlimit
  • freier Download für End-User

napp-it cs client server
  • noncommercial home use

Bild
napp-it SE und cs
  • Individual support and consulting
  • Bugfix/ Updates to newest releases and bugfixes/li>
  • Redistribution/Bundling/Installation on demand allowed
Request a quote Angebot an.
Details: Featuresheet.pdf

Encryption Pools Poef

(Pools on lofi encrypted files or devices works on any Solaris based System like Illumian, OmniOS, OpenIndiana or Solaris 11)

  • GUI management of ZFS Folders on AES 256 encrypted files or on encrypted devices
    - Create encrypted folders
    - Lock encrypted folders
    - Unlock encrypted folderes
  • based on AES 256 encrypted files or on a ZFS pool or mounted UFS disk
  • Basic Pools from one large file
  • ZFS Z2 Pools from multiple small files. You can backup these encrypted Pools/files to any disk or cloud provider with ZFS-Z2 datasecurity
  • Encrypted disks are handled like unencrypted disks. You must unlock them after bootup. After unlocking they can be used like regular disks.


How to setup

  • Encrypted pool management is part of napp-it Pro (with home or commercial keys)


Howto create encrypted pools on encrypted files

  • Create a regular dataset example tank/secrets
  • Create a new encrypted pool on this dataset with menu: pools - encrypted pools extension - create pool oef
      - use small devices (example 2 GB) and Raid-Z2 if you want to backup your pools to external disks
      - use one large basic pool if ylofiou just want to provide encrypted pools
  • Use menu : pools - encrypted pools extension - disconnect pool oef to lock/disconnect a pool (or shutdown)
  • Use menu : pools - encrypted pools extension - connect pool oef to reconnect a pool (after lock orpower-on)



Howto backup encrypted pools (filebased)

  • If your encrypted pool is offline/disconnected: Backup the folder with the encrypted files
  • If your pool is online/ in use: do a snap and backup the files from snap (Windows: previous version)
  • If you have build a pool from several files for example as a raid-z2 you are able to backup the encrypted files containing your pool with ZFS Z2 data security.



GUI management of Pools build on encrypted files is included in napp-it Pro.
If you want to encrypt your pools with napp-it free, you can do it via CLI or a shell script:


1. create a 10G file in /tank/secrets (a ZFS dataset)
cd /tank/secrets
mkfile 10g file1

2. create encrypted blockdevices from these file(s) -> creates a device /dev/lofi/1
lofiadm -c aes-256-cbc -a /tank/secrets/file1
Enter passphrase: ..

-repeat for all disks if you want to build a pool from more disks to have redundancy
(important if you want to backup these files on a non-ZFS file system)


3. Create a regular (ex. basic) ZFS pool from this or these (encrypted) device(s)
zpool create secretpool /dev/lofi/1

The newly created pool works like any ZFS pool.

4. To take offline you must export the pool and remove the devices:

zpool export secretpool
lofiadm -d /tank/secrets/file1

5. To take online you must build devices from the files again using the same PW and import the pool
lofiadm -c aes-256-cbc -a /tank/secrets/file1
Enter passphrase: ..

If you use the wrong PW, all seems ok but there are no files...

6. Now you can import your pool from these devices
zpool import -d /dev/lofi shows all available pools

To import the pool, you must use:
zpool import -d /dev/lofi/ secretpool


Disadvantage
Only disadvantage may be some lower performance (goes through ZFS twice + encryption).

Advantage
It is very elegant, easy to implement and simply based on one or more encrypted files.
If you want to backup them, you can just copy them. With small files its not a problem, even on FAT disks
with a max file limit of 2 GB. If you have build redundant ZFS pools from several files (ex Raid-Z2) its even not
a problem if two files get damaged for whatever reason on your backup disk. (encrypted backup with full ZFS data security)

more:
http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools
http://www.cuddletech.com/blog/pivot/entry.php?id=1029
https://blogs.oracle.com/yakshaving/entry/encrypted fs on solaris 10
http://www.idevelopment.info/data/Oracle/DBA tips/Automatic Storage Management/ASM 21.shtml



napp-it 14.10.2024