ZFS RAW disk -> LUKS 변환

zfs

심심해서(…) 예전에 사용하다 남은(…) ZFS 볼륨을 온라인으로 LUKS로 암호화해보았다. 당연히 mirror, raidz 이상을 사용해야 한다.

기존 볼륨: 600G 15K * 2

$ lsblk --output NAME,KNAME,SIZE,HCTL,WWN,VENDOR,MODEL
NAME                      KNAME   SIZE HCTL       WWN                VENDOR   MODEL
sdj                       sdj   558.9G 7:0:2:0    0x5000c50aaaabbbbb SEAGATE  ST3600057SS
├─sdj1                    sdk1  558.9G            0x5000c50aaaabbbbb
└─sdj9                    sdk9      8M            0x5000c50aaaabbbbb
sdk                       sdk   558.9G 7:0:3:0    0x5000c50ccccddddd SEAGATE  ST3600057SS
├─sdk1                    sdk1  558.9G            0x5000c50ccccddddd
└─sdk9                    sdk9      8M            0x5000c50ccccddddd

.

$ zpool status tank
  pool: tank
 state: ONLINE
  scan: scrub repaired 0 in 0h11m with 0 errors on Mon Sep 21 22:08:03 2015
config:

        NAME                         STATE     READ WRITE CKSUM
        tank                         ONLINE       0     0     0
          mirror-0                   ONLINE       0     0     0
            wwn-0x5000c50aaaabbbbb   ONLINE       0     0     0
            wwn-0x5000c50ccccddddd   ONLINE       0     0     0

errors: No known data errors

사용할 암호 알고리즘 벤치마크:

$ cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       346293 iterations per second
PBKDF2-sha256     205764 iterations per second
PBKDF2-sha512     137536 iterations per second
PBKDF2-ripemd160  284629 iterations per second
PBKDF2-whirlpool  139735 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   140.0 MiB/s   163.9 MiB/s
 serpent-cbc   128b    47.8 MiB/s   231.6 MiB/s
 twofish-cbc   128b   116.4 MiB/s   187.7 MiB/s
     aes-cbc   256b   111.4 MiB/s   124.5 MiB/s
 serpent-cbc   256b    52.5 MiB/s   233.2 MiB/s
 twofish-cbc   256b   137.9 MiB/s   187.0 MiB/s
     aes-xts   256b   166.0 MiB/s   165.6 MiB/s *
 serpent-xts   256b   183.5 MiB/s   209.2 MiB/s
 twofish-xts   256b   171.5 MiB/s   172.7 MiB/s
     aes-xts   512b   124.2 MiB/s   124.4 MiB/s
 serpent-xts   512b   204.5 MiB/s   207.6 MiB/s
 twofish-xts   512b   173.0 MiB/s   172.9 MiB/s

서버가(X3440) H/W 가속(AES-NI)을 지원하지 않아 너무 느리다. AES-NI 지원하는 장비에서는 아래처럼 꽤 빠르다 (rMBP 13” 2015 초 (i5-5257U), VM 에서 수행)

[vagrant@sandbox ~]$ cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       531193 iterations per second
PBKDF2-sha256     321649 iterations per second
PBKDF2-sha512     210051 iterations per second
PBKDF2-ripemd160  426250 iterations per second
PBKDF2-whirlpool  218453 iterations per second
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b   561.5 MiB/s  2384.3 MiB/s
 serpent-cbc   128b    76.8 MiB/s   257.9 MiB/s
 twofish-cbc   128b   169.1 MiB/s   314.9 MiB/s
     aes-cbc   256b   423.8 MiB/s  1846.2 MiB/s
 serpent-cbc   256b    79.7 MiB/s   248.3 MiB/s
 twofish-cbc   256b   170.9 MiB/s   313.0 MiB/s
     aes-xts   256b  2009.6 MiB/s  1953.8 MiB/s *
 serpent-xts   256b   259.3 MiB/s   253.2 MiB/s
 twofish-xts   256b   299.4 MiB/s   309.3 MiB/s
     aes-xts   512b  1473.5 MiB/s  1517.9 MiB/s
 serpent-xts   512b   261.5 MiB/s   256.6 MiB/s
 twofish-xts   512b   305.1 MiB/s   312.8 MiB/s

장비는 추후 업그레이드 예정이므로 AES-XTS를 사용한다.

오프라인으로 전환:

# zpool offline tank wwn-0x5000c50aaaabbbbb

포멧:

# cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha512 /dev/disk/by-id/wwn-0x5000c50aaaabbbbb
WARNING!
========
This will overwrite data on /dev/disk/by-id/wwn-0x5000c50aaaabbbbb irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:

LUKS 볼륨 열기:

# cryptsetup luksOpen --allow-discards /dev/disk/by-id/wwn-0x5000c50aaaabbbbb luks-0x5000c50aaaabbbbb
Enter passphrase for /dev/disk/by-id/wwn-0x5000c50aaaabbbbb:

lsblk로 조회해보면 LUKS 헤더가 정확히 2MiB를 차지하고 있다. 기존에는 GPT + 8MiB 예약이었으므로 LUKS 볼륨이 더 커서 교체시 문제는 없다.

$ lsblk --bytes --output NAME,KNAME,TYPE,SIZE,HCTL,WWN,VENDOR,MODEL
NAME                      KNAME TYPE          SIZE HCTL       WWN                VENDOR   MODEL
sdj                       sdj   disk  600127266816 7:0:2:0    0x5000c50aaaabbbbb SEAGATE  ST3600057SS
└─luks-0x5000c50aaaabbbbb dm-0  crypt 600125169664

RAW 디스크를 LUKS로 교체:

# zpool replace tank wwn-0x5000c50aaaabbbbb luks-0x5000c50aaaabbbbb

.

# zpool status tank
  pool: tank
 state: DEGRADED
status: One or more devices is currently being resilvered.  The pool will
        continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
  scan: resilver in progress since Sun Jan  3 01:08:12 2016
    1.48G scanned out of 175G at 17.6M/s, 2h48m to go
    1.47G resilvered, 0.84% done
config:

        NAME                           STATE     READ WRITE CKSUM
        tank                           DEGRADED     0     0     0
          mirror-0                     DEGRADED     0     0     0
            replacing-0                OFFLINE      0     0     0
              wwn-0x5000c50aaaabbbbb   OFFLINE      0     0     0
              luks-0x5000c50aaaabbbbb  ONLINE       0     0     0  (resilvering)
            wwn-0x5000c50ccccddddd     ONLINE       0     0     0

errors: No known data errors
blog comments powered by Disqus