How to install a compressed and encrypted Z file system [ZFS hack]

Hey Guys, yes we switched this blog in english because it has to !

So welcome in this article, we will see how to install Zfs with compression and encryption on an external HD. So you can go out with your HD totally secure !

All explanations below are given without any warranties of any kind as usual, and we won’t be responsible of anything if things go wrong. Take your responsabilities, make backups !

All explanations below are give for archlinux but concepts described here may apply for other distributions.

pacman -S linux(currrent kernel)-zfs
systemctl enable zfs-import-cache
systemctl enable zfs-import.target
systemctl enable zfs-mount
systemctl enable zfs.target

Creating a storage pool

No need to partition the drives before creating the ZFS filesystem guys. We will use here our entire disk, let’s suppose here it’s /dev/sdd.

Identify disks

We need first to identify the disks with this command :

# ls -lh /dev/disk/by-id/
lrwxrwxrwx 1 root root 10  7 déc.  21:11 ata-WDC_WDS250G2B0A-00SM50_181960809318-part8 -> ../../sdb8
lrwxrwxrwx 1 root root 10  7 déc.  21:11 ata-WDC_WDS250G2B0A-00SM50_181960809318-part9 -> ../../sdb9
lrwxrwxrwx 1 root root  9  7 déc.  21:11 usb-Seagate_Portable_NAA5HL28-0:0 -> ../../sdd

create a ZFS pool

To create a ZFS pool :

zpool create -f -m   [raidz(2|3)|mirror] ids

-f: Force creating the pool. This is to overcome the "EFI label error". See #Does not contain an EFI label.
-m: The mount point of the pool. If this is not specified, then the pool will be mounted to /.
 pool: This is the name of the pool.
 raidz(2|3)|mirror: This is the type of virtual device that will be created from the pool of devices, raidz is a single disk of parity, raidz2 for 2 disks of parity and raidz3 for 3 disks of parity, similar to raid5 and raid6. Also available is mirror, which is similar to raid1 or raid10, but is not constrained to just 2 device. If not specified, each device will be added as a vdev which is similar to raid0. After creation, a device can be added to each single drive vdev to turn it into a mirror, which can be useful for migrating data.
 ids: The ID's of the drives or partitions that to include into the pool.

So here for what we need :

zpool create -f -m /mnt/zfs tetux1 usb-Seagate_Portable_NAA5HL28-0:0

And then we can verify :

# zpool status -v
 pool: remov1
  state: ONLINE
   scan: none requested
 config:
 NAME                                 STATE     READ WRITE CKSUM remov1                               ONLINE       0     0     0   usb-Seagate_Portable_NAA5HL28-0:0  ONLINE       0     0     0
 errors: No known data errors

Importing a pool created by id

Eventually a pool may fail to auto mount and you need to import to bring your pool back. Take care to avoid the most obvious solution.

# zpool import -d /dev/disk/by-id  tetux1

Creating a dataset

Users can optionally create a dataset under the zpool as opposed to manually creating directories under the zpool. Datasets allow for an increased level of control (quotas for example) in addition to snapshots. To be able to create and mount a dataset, a directory of the same name must not pre-exist in the zpool. To create a dataset, use:

# zfs create <nameofzpool>/<nameofdataset> 

Tuning ZFS

To see all options :

# zfs get all tetux1

To disable access time (atime), which is enabled by default:

# zfs set atime=off tetux1

Compression

To enable compression:

# zfs set compression=on tetux1

Scrubbing

Whenever data is read and ZFS encounters an error, it is silently repaired when possible, rewritten back to disk and logged so you can obtain an overview of errors on your pools. There is no fsck or equivalent tool for ZFS. Instead, ZFS supports a feature known as scrubbing. This traverses through all the data in a pool and verifies that all blocks can be read.

To scrub a pool:

# zpool scrub tetux1

Destroy a pool

# zpool destroy remov1

Encryption

# zfs create -o encryption=on -o keyformat=passphrase tetux1

Compression

# zfs create -o compression=on tetux1

Then to have both encryption AND compression :

# zfs create -o encryption=on -o keyformat=passphrase -o compression=on tetux1

On next reboot how to mount your partition

Just do that :

sudo zfs mount
sudo zfs unmount /mnt/zfs/
sudo zfs mount -l -a

You will be asked for the passphrase and that’s it !

How to remove safely your external HD with ZFS ?

Well it’s not that complicated you just type in :

sudo zfs unmount /mnt/zfs (this is just optionnal !)
sudo zpool export tetux1

And then when you want to plug it back :

sudo zpool import -d /dev/disk/by-id tetux1
sudo zfs unmount /mnt/zfs/
sudo zfs mount -l -a