Skip to main content

ZFS

Decisions
  1. While encrypting the pool volume is possible, I decided to go with a sub-volume, just in case I need to add un-encrypted data later
  2. The options for encryption keys passphrase, raw key, and hex key. I'll be using a hex key for ease of backup in my password database.
  3. When creating the pool use the entire disk, not partitions where possible
  4. When creating the pool, use /dev/disk/by-id, not /dev/sda, as these can change on boot
  1. ZFS - ArchWiki
  2. Performance tuning - OpenZFS
  3. Tips from JRS
Create the pool

Grab the disk IDs as shown below, and use those IDs to create the pool

ls -lah /dev/disk/by-id
zpool create datapool -o ashift=12 -o autoexpand=on mirror diskID1 diskID1
zfs set compression=lz4 datapool
zfs set atime=off datapool
Creating the Volume
  1. Normal Dataset
zfs create poolname/datasetname
  1. Encrypted Dataset
mkdir /etc/zfs/keys
chmod 700 /etc/zfs/keys
openssl rand -hex -out /etc/zfs/keys/datasetname 32
chmod 600 /etc/zfs/keys/datasetname
zfs create -o encryption=aes-256-gcm -o keyformat=hex -o keylocation=file:///etc/zfs/keys/datasetname poolname/datasetname
Backing up data normally
  1. Create an initial snapshot and backup
zfs snapshot -r poolname@snap1
zfs send -Rw poolname@snap1 | zfs recv -Fdu backuppool
  1. After some changes, send an incremental
zfs snapshot -r poolname@snap2
zfs send -Rw -I poolname@snap1 poolname@snap2 | zfs recv -Fdu backuppool
zfs destroy -r poolname@snap1
Safely Importing Backup Disk

To safely import the backup pool disk without fudging existing mounts, use:

zpool import -N backuppool

Do it all... with Sanoid / Syncoid!

Learning ZFS has been fun, so I've wanted to try to do everything manually, but it turns out Sanoid is the end-all-be-all of everything ZFS I need. It'll handle your backups and replication automatically.

Syncoid commands

I have some encrypted datasets, which is a relatively new feature of ZFS and requires the raw send option. To do this with syncoid:

syncoid pool/to/backup bkppool/destination --sendoptions=w