Mind the encryptionroot: How to save your data when ZFS loses its mind
sambowman.techKnowing what I now know about ZFS native encryption, I find it difficult to recommend until the sharp edges have all been filed down.
I've read several scary stories about ZFS encryption and have reached the same conclusion. Meanwhile, based on the accounts I've read, running ZFS on top of LUKS seems to be a more stable approach.
In any case, nice and detailed write-up. The nice thing about open source is that you can do "hacks" like you did.
Thank you!
I emphatically agree, unencrypted ZFS on top of GELI or LUKS encrypted block devices is the way to go for now. Plus it also has the benefit of not leaking metadata like a sieve.
My mistake was placing too much trust in ZFS's reputation for data integrity; clearly not all features hold that value in the same regard.
The openness of OpenZFS was a real saving grace. If this had occurred on a propriety SAN, that data would be gone forever.
While ZFS has a well-earned reputation for data integrity and reliability, ZFS native encryption has some incredibly sharp edges that will cut you if you don't know where to be careful. I learned this the hard way, and this postmortem is an attempt to share my experience in the hope that others may learn from my mistakes. Feel free to ask any questions!