如何加密 ZFS 池?

如何加密 ZFS 池?

前言:我曾经运行过 TrueNAS (SCALE),这是我最初创建tank池的地方。

在 Ubuntu 服务器上,我尝试分配/更改新创建的池的密钥,但收到错误Key change error: Dataset not encrypted.

user@homeserver:~$ sudo zfs change-key -o keylocation=file:///path/to/zpool.key -o keyformat=raw flash
Key change error: Dataset not encrypted.

user@homeserver:~$ zfs get encryption tank 
NAME  PROPERTY    VALUE        SOURCE
tank  encryption  aes-256-gcm  -

user@homeserver:~$ zfs get encryption flash
NAME   PROPERTY    VALUE        SOURCE
flash  encryption  off          default

这是我创建池时使用的命令:

sudo zpool create -o failmode=continue -o autoexpand=on -o autotrim=on -o feature@async_destroy=enabled -o feature@empty_bpobj=enabled -o feature@lz4_compress=enabled -o feature@multi_vdev_crash_dump=enabled -o feature@spacemap_histogram=enabled -o feature@enabled_txg=enabled -o feature@hole_birth=enabled -o feature@extensible_dataset=enabled -o feature@embedded_data=enabled -o feature@bookmarks=enabled -o feature@filesystem_limits=enabled -o feature@large_blocks=enabled -o feature@large_dnode=enabled -o feature@sha512=enabled -o feature@skein=enabled -o feature@edonr=enabled -o feature@userobj_accounting=enabled -o feature@encryption=enabled -o feature@project_quota=enabled -o feature@device_removal=enabled -o feature@obsolete_counts=enabled -o feature@zpool_checkpoint=enabled -o feature@spacemap_v2=enabled -o feature@allocation_classes=enabled -o feature@resilver_defer=enabled -o feature@bookmark_v2=enabled -o feature@redaction_bookmarks=enabled -o feature@redacted_datasets=enabled -o feature@bookmark_written=enabled -o feature@log_spacemap=enabled -o feature@livelist=enabled -o feature@device_rebuild=enabled -o feature@zstd_compress=enabled -o feature@draid=enabled flash mirror /dev/disk/by-partuuid/XXX /dev/disk/by-partuuid/XXX

我做错了什么以及如何以flash相同的方式tank加密?

答案1

本机 ZFS 加密不会加密池,它只会加密文件系统。此外,必须在创建文件系统时设置每个文件系统的加密。对于池的根文件系统,这意味着必须在创建池时设置根文件系统的加密。

因此,要以与现有池类似的方式创建具有加密根文件系统的新池,请首先销毁新池:

# zpool destroy flash

然后重新创建池,将zpool create上面的命令与这些附加选项合并。注意资本的使用-O

# zpool create \
    (your options from above) \
    -O encryption=on \
    -O keyformat=(whatever) \
    -O keylocation=(whatever) \
    flash \
    mirror /dev/gpt/diskA-serial-num /dev/gpt/diskB-serial-num

最后验证一下:

# zfs get encryption,keyformat,keylocation flash
NAME   PROPERTY     VALUE        SOURCE
flash  encryption   aes-256-gcm  -
flash  keyformat    (whatever)   -
flash  keylocation  (whatever)   local

相关内容