Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
advanced:target [2018/10/03 00:36] – dan | advanced:target [2018/10/03 01:15] – dan | ||
---|---|---|---|
Line 50: | Line 50: | ||
< | < | ||
zpool create -o ashift=12 dozer / | zpool create -o ashift=12 dozer / | ||
+ | </ | ||
+ | |||
+ | ===== Enable encryption, and create an encrypted dataset ===== | ||
+ | The idea of this system is to be a standalone storage " | ||
+ | < | ||
+ | zpool set feature@encryption=enabled dozer | ||
+ | </ | ||
+ | Then, create the encrypted dataset: | ||
+ | < | ||
+ | zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase dozer/ | ||
+ | </ | ||
+ | The system will prompt you for a passphrase, which you'll need whenever you mount that dataset. | ||
+ | |||
+ | ===== Create a replication user ===== | ||
+ | For the sake of security, it would be best if replication to this device ran as a user other than root. Start by creating the user: | ||
+ | < | ||
+ | adduser zfsuser | ||
+ | </ | ||
+ | Disable login for that user: | ||
+ | < | ||
+ | chsh -s /bin/false zfsuser | ||
+ | </ | ||
+ | Generate a SSH keypair for that user: | ||
+ | < | ||
+ | sudo -u zfsuser ssh-keygen | ||
+ | </ | ||
+ | Now allow that user to make changes on the encrypted dataset: | ||
+ | < | ||
+ | zfs allow -u zfsuser create, | ||
</ | </ | ||