ZFS native encryption is currently broken for encrypted backups
https://github.com/openzfs/zfs/issues/11679
https://github.com/openzfs/zfs/issues/15989
https://github.com/openzfs/zfs/issues/15924
https://github.com/openzfs/zfs/labels/Component%3A%20Encryption
https://www.reddit.com/r/zfs/comments/10n8fsn/does_openzfs_have_a_new_developer_for_the_native/
On https://github.com/openzfs/openzfs-docs/issues/494 people unanimously agree that zfs native encryption is broken especially when sending or receiving raw encrypted zfs snapshots, and they blame the zfs leadership for refusing to admit that zfs native encryption is buggy because admitting that it is buggy is bad for the reputation of zfs.
zfs native encryption has been fine for local usage on my machine, but I have never attempted to send raw encrypted zfs snapshots due to numerous warnings.
Thus, I want to offer alternatives to zfs native encryption.
1. If your zfs pool is not large, LUKS is going to be faster than zfs native encryption. I don't know whether LUKS is going to be still faster if zfs pool contains many disks. ZFS native encryption can be as fast as LUKS or faster than LUKS, but it is not for now.
2. For making incremental encrypted backups, I recommend restic. Restic can make incremental encrypted snapshots of ZFS snapshots. You can delete any restic incremental snapshots without losing data in other snapshots. Restic 0.17 started supporting RESTIC_FEATURES=device-id-for-hardlinks which supports backing up $ZFS-MOUNTPOINT/.zfs/snapshot/$SNAPSHOT-NAME efficiently. Restic 0.18 will remove device-id-for-hardlinks feature flag and support .zfs/snapshot directories efficiently witout any feature flag. If you want to back up zfs dataset, you can take restic ZFS snapshot, back up .zfs/snapshot/restic as a new restic snapshot, and delete restic ZFS snapshot after backing it up. In this way, restic doesn't need to know about local sanoid ZFS snapshots which are independent from restic snapshots.
Restic supports compression, encryption, and deduplication. Thus, you can send incremental encrypted backups to untrusted machines. For remote backups, you can use amazon cloud storage, https://rsync.net, https://zfs.rent, and other cloud storage services. I don't have any association with any of these services. I don't recommend any. Do your own research if you want to pick a cloud storage provider.
20 comments
[ 3.1 ms ] story [ 62.9 ms ] threadBoth have limitations, like they have locks , so you should check on it so that you don’t miss backups. Any easy monitoring solution?
Otherwise, software always has bugs that you can find their bulletins. Like I use restic and Borg and there are sometimes integrity errors. I have repositories in both with integrity errors in them.
Weirdly, this only happened on a few datasets that were not used a lot, the datasets that have lots of IO have only had the innocuous errors (the ones that refer to deleted files).
I did try debugging some of this with a ZFS developer, but we were not able to recover the data, and digged deep enough to see that something was very wrong with these datasets (it was not just a bitflip somewhere, rather that dataset used a key from the keystore that was supposed to exist, but didn't.
Some encryption schemes will cascade bit errors (aka a flipped bit somewhere early on will fail everything and you’ll potentially lose access to the entire archive). Those also are terrible for random access. But usually extremely secure.
Most sane ones for backups use a variant of block level encryption where you’ll lose at most a block worth of data from a bit flip.
Which hopefully whatever archiving format you’re using can recover from, since long term storage already has that issue.
Way back, I had issues like this (unstable hardware) and piped tar through encryption (I forget what library - it might have been gpg haha) then rsbep2 to avoid problems. It recovered from corrupted blocks at least twice.
ZFS can fix errors too with Raid or copies=2.
Technically, there are two copies of data. One is on the source. The other is on the destination. Thus, restic can be like raid1.
Restic has checksums for chunks. RAID1 with checksum can repair errors.
This is on Debian with default kernels and ZoL versions.
I'd still prefer a bit more stability from native encryption.
More details on this can be found in a gist from the same author (keep in mind he's a well known zfs commmiter).
https://gist.github.com/rincebrain/622ee4991732774037ff44c67...