Hello,
I searched a bit on the forum and I couldn't find this information (and I am surprised it isn't sticky'ed if it exists). Many of us accumulated a lot of data over the years and we would be upset if the drives fail and we lose the data. I also noticed that some files on my old drive became unreadable, so slow data loss can happen (and go undetected) before drive failure. RAID (ZFS) solutions can protect against these failures.
We also need to encrypt data at rest and the most popular solution is probably using a TrueCrypt/VeraCrypt full disk encryption since there is no way to prove it is a TrueCrypt volume without password and keyfile.
My question is:
What is the best way to combine encryption and disk redundancy? I am considering several solution with both pros and cons:
* VeraCrypt over Linux MD Raid:
+ This will show as a RAID, but it cannot be shown that it has any (encrypted) data
+ easy to replace damaged disks, extend capacity, add redundancy
- Linux MD Raid does not protect against bit rot (does not do checksumming)
* Encrypted ZFS volume directly on disks:
+ ZFS data protection and integrity
+ easy to replace damaged disks, extend capacity, add redundancy
- the encrypted data set is visible and cannot be hidden. An attacker will see you are hiding something and where you are hiding it
* (Un)Encrypted ZFS volume over Veracrypt encrypted disks:
+ disks are encrypted by VeraCrypt. They appear unformatted to an attacker
- ZFS protections might be undermined by the additional Layer.
- I am not entirely sure how well this would work (will give it a try and report back)
0 comments:
Post a Comment