[[advanced:target]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
advanced:target [2018/10/03 00:36] danadvanced:target [2018/10/03 01:15] dan
Line 50: Line 50:
 <code> <code>
 zpool create -o ashift=12 dozer /dev/disk/by-id/ata-WDC_WD80EMAZ-00M9AA0_VAGA2PLD zpool create -o ashift=12 dozer /dev/disk/by-id/ata-WDC_WD80EMAZ-00M9AA0_VAGA2PLD
 +</code>
 +
 +===== Enable encryption, and create an encrypted dataset =====
 +The idea of this system is to be a standalone storage "brick", which could be left at a remote location where you might not fully trust the network operator.  ZFS on Linux supports dataset encryption for this purpose, and material for this section is drawn from this [[https://datacenteroverlords.com/2017/12/17/zfs-on-linux-with-encryption-part-2/|blog post]].  You'll first need to enable that feature on your pool:
 +<code>
 +zpool set feature@encryption=enabled dozer
 +</code>
 +Then, create the encrypted dataset:
 +<code>
 +zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase dozer/encrypted
 +</code>
 +The system will prompt you for a passphrase, which you'll need whenever you mount that dataset.  Minimum length is eight characters.
 +
 +===== Create a replication user =====
 +For the sake of security, it would be best if replication to this device ran as a user other than root.  Start by creating the user:
 +<code>
 +adduser zfsuser
 +</code>
 +Disable login for that user:
 +<code>
 +chsh -s /bin/false zfsuser
 +</code>
 +Generate a SSH keypair for that user:
 +<code>
 +sudo -u zfsuser ssh-keygen
 +</code>
 +Now allow that user to make changes on the encrypted dataset:
 +<code>
 +zfs allow -u zfsuser create,destroy,snapshot,mount dozer/encrypted
 </code> </code>
  
  • advanced/target.txt
  • Last modified: 2018/10/10 00:02
  • by dan