1

If having 2x LUKS-encrypted HDDs with a ZFS mirror pool on top of the dm-crypt mapper devices: what happens if one of my HDDs encounters an error and the OS recognizes a sector as bad ?

Will this bad sector information be passed to the encryption-layer and as such be there on the mapper device marked 'bad' as well ? (The corresponding-affected block of course).

(So that the ZFS layer on top of the encrypted device can see this and correct the error via internal mechanisms during access or during a scrubbing. No ZFS encryption - by intention. Yet).

Debian/Ubuntu.

Vortex
  • 13
  • 3

1 Answers1

1

If a sector goes bad, LUKS would return an error - which will be corrected by ZFS (thanks to the other mirror leg).

If a sector return bad data, LUKS can decrypt an incorrect payload - which will be again correct by ZFS (thanks to checksum and mirroring).

In other words: with a ZFS mirror your data should be safe, unless both mirror legs are corrupted.

shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • Does dm-integrity (actually used as a '--integrity xx' option for luks) make any sense, knowing ZFS is going to go on top of LUKS ? Or doesn't matter in this context really ? Would you 'cryptsetup luksformat' with or without it ? – Vortex Nov 19 '20 at 07:13
  • No, I would not use dm-integrity with ZFS as the latter already has strong checksumming. dm-integrity can be useful with filesystems that do not checksum data, as ext4 and xfs. – shodanshok Nov 19 '20 at 07:46