On 11/11/2015 07:19 PM, Neil Bothwick wrote: > On Wed, 11 Nov 2015 18:09:39 +0100, Ralf wrote: > >> Btrfs supports Raid10 but no block-crypto. >> >> If I would use a HD->MD Raid->Luks->Btrfs stack, I don't benefit from >> the Raid implementation of Btrfs. > Nor do you get the automatic repair of corruption that btrfs RAID offers. Oh cool, nice, I didn't know about that feature. But as you say, it's definitely better using btrfs's raid instead of using stacked md raid. > >> If I would use a HD->Luks->Btrfs stack, then I would have to use four >> different LUKS devices, which results in four individual encryptions >> (and I don't have AES-NI, so this would be a tremendous slowdown). > It would definitely be slower, but maybe not "tremendously". Well yes, I would say so. My Box doesn't have AES-NI instruction set and it 'only' has to relatively slow cores. 4x independent Luks results in 4x independent (en|de)cryption. Even now, in my current configuration AES slows everything extremely down. (before setting up my disks a few years ago, i benchmarked the setup with and without luks. Afair, without Luks I had about Read:80Mib/s, with Luks it's about 50MiB/s, and yes, everything is aligned correctly) > >> What would be the best way to have a Raid 10 together with a encrypted >> Btrfs? > What about crypto on top of btrfs using a stacked filesystem like > ecryptfs? Nope, I also thought about that, but this is not elegant. Besides that, it would also slow down the system as ecryptfs runs in the VFS layer and is yet another layer which operates on top of an existing filesystem. (and not like luks, which would run a layer below btrfs). So that's a lot of overhead.
Ecryptfs is really nice for encrypting dedicated files or directories but I don't think that it is a good solution for encrypting a _whole_ general purpose filesystem. And thinking about btrfs snapshot feature, using some 'btrfs history tool', i would probably only be able to see a lot of crypto garbage when going through my history (which can for sure be accessed by ecryptfs, but not by standard btrfs tools). Cheers Ralf
