What filesystem should I go for with encrypted hdd + tm?

  • Well, the big question...


    I've read that HFS+ don't seem really stable with Linux or Openmediavault and there not seem to be any implementation for APFS yet? So what should I go for?


    - I need a compatible file system for my Time machine backup, backing up a APFS installed macbook.
    - My archive disk, today installed as APFS as well. Will do as HFS+ if necessary, or another file system as long as it handles some meta-data and works well with apple.


    The hard part will be the encryption I guess. I would like to have a password for each drive if anything gets stolen..


    So, what's the least bad choice I can make here? :D

  • what's the least bad choice I can make here?

    Go with the perfect choice: that's

    • encrypting on the client (all Macs since 2010 have CPUs with AES-NI support)
    • using AFP with OMV4
    • using SMB with OMV5 in the future

    It's just ticking two checkboxes and also entering the passphrase twice on the Mac. I use ZFS or btrfs on the server side to do regular snapshots there too so in case you get backup corruption you can revert to latest working snapshot on the server and don't loose your whole backup history (though that's gotten much much better over the years with macOS)

  • Go with the perfect choice: that's

    • encrypting on the client (all Macs since 2010 have CPUs with AES-NI support)
    • using AFP with OMV4
    • using SMB with OMV5 in the future

    It's just ticking two checkboxes and also entering the passphrase twice on the Mac. I use ZFS or btrfs on the server side to do regular snapshots there too so in case you get backup corruption you can revert to latest working snapshot on the server and don't loose your whole backup history (though that's gotten much much better over the years with macOS)


    Hmm, I don’t think I get it really. It sounds to easy!


    I’ve already got encryption via FileVault on my MacBook. But since it’s possible to get into the hard drives connected to the NAS they have to be encrypted as well? (If they get stolen..)


    It seems like I can’t use encrypted HFS+ for my drives via Linux at all?


    I’m currently looking at ZFS. Great file system but hell of a job setting it up and relearning everything, especially with encryption and password. This may be fun but it’s a little bit of a domino effect right now, haha!



    Skickat från min iPhone med Tapatalk

  • I’ve already got encryption via FileVault on my MacBook

    Now you only need to toggle 'encrypted backups' when setting up your TM backup via AFP and you're done (once OMV 5 is ready you switch to SMB). Your Mac then does all the encryption stuff and the data on the OMV server is worthless to anyone without access to the TM backup passphrase stored into your Mac's keychain.


    It's that easy.

  • It seems like I can’t use encrypted HFS+ for my drives via Linux at all?

    Nope and there is zero benefit. Simply use AFP today and SMB in the future. OMV cares about all the TM specialties and Apple cares about maintaining TM compatibility on top of the network protocols (TM over network uses so called 'sparse bundles' that implement HFS+ functionality on top of whatever server side filesystem).


    Simply let your Mac do the encryption. Only downside: with modern filesystems on the server (again: ZFS or btrfs) you can't benefit from transparent filesystem compression since once the Mac encrypts the backups you gain nothing with compression (without the Mac doing encryption you might get 30% to 40% space savings with ZFS or btrfs on the server)

  • Now you only need to toggle 'encrypted backups' when setting up your TM backup via AFP and you're done (once OMV 5 is ready you switch to SMB). Your Mac then does all the encryption stuff and the data on the OMV server is worthless to anyone without access to the TM backup passphrase stored into your Mac's keychain.
    It's that easy.

    That sounds really great and easy! Neat solution..


    Simply let your Mac do the encryption. Only downside: with modern filesystems on the server (again: ZFS or btrfs) you can't benefit from transparent filesystem compression since once the Mac encrypts the backups you gain nothing with compression (without the Mac doing encryption you might get 30% to 40% space savings with ZFS or btrfs on the server)

    This though, is it possible to go for HFS+ for my server drive (without TM), and encrypt it via AFP in OMV as well?

  • is it possible to go for HFS+ for my server drive (without TM), and encrypt it via AFP in OMV as well?

    No. Forget about HFS+ with Linux, you need a POSIX compliant filesystem at the server and the mapping between Mac semantics (encodings/metadata) and the server's representation happens in Netatalk and Samba. If you want encryption in a similar way than TimeMachine you need to create an encrypted sparsebundle at the client that resides on a server share (the 'encrypted TM backups oner network' approach uses exactly this too).


    No idea about server side encryption (LUKS & Co.) -- I wait until transparent compression is ready in ZFS/ZoL (ZFS on Linux) and then do another round of evaluations.

  • No. Forget about HFS+ with Linux, you need a POSIX compliant filesystem at the server and the mapping between Mac semantics (encodings/metadata) and the server's representation happens in Netatalk and Samba. If you want encryption in a similar way than TimeMachine you need to create an encrypted sparsebundle at the client that resides on a server share (the 'encrypted TM backups oner network' approach uses exactly this too).
    No idea about server side encryption (LUKS & Co.) -- I wait until transparent compression is ready in ZFS/ZoL (ZFS on Linux) and then do another round of evaluations.

    Oh, and there is the answer to why I should use Netatalk! Thanks!


    Didn't even think of the possibility to encrypt an image(sparsebundle) instead of the whole disk, ofc this is the way to go.


    As a final question (for now..), is there any difference between how ext4 and btrfs are doing as options? Is there any difference in how they work with Netatalk/Samba and metadata for my use as file archive? Or can I choose which ever I like?

  • is there any difference between how ext4 and btrfs are doing as options? Is there any difference in how they work with Netatalk/Samba and metadata for my use as file archive? Or can I choose which ever I like?

    With your use case... nope. There are no relevant differences other than btrfs making it more easy to 'backup' the shares to another disk or even location (there's snapshots and a send/receive features -- with old/anachronistic filesystems like ext4 all of this has to happen above the filesystem using rsync/rsnapshot for example).

  • With your use case... nope. There are no relevant differences other than btrfs making it more easy to 'backup' the shares to another disk or even location (there's snapshots and a send/receive features -- with old/anachronistic filesystems like ext4 all of this has to happen above the filesystem using rsync/rsnapshot for example).

    Nice! I've got plans at using "USB backup plugin" with an external hard drive to backup my server disk. So btrfs sounds like the best solution for this then?


    Your support is amazing btw, so helpful!

  • using "USB backup plugin" with an external hard drive to backup my server disk.

    Sorry, never used this plugin (and starting to hate USB storage in general). My backup approach is as easy as this:

    • Almost all important personal data resides on my laptop (MacBook Pro) where the storage is encrypted via FileVault. Backups are done via encrypted TimeMachine to various SBC here and at other locations (friends, family -- if one of these devices gets lost or 'compromised'... doesn't matter since backups are encrypted and the keys are in my keychain and never need to be transferred to the backup device)
    • On servers we mostly use ZFS send/receive features to transfer snapshots from one server to another so 'backup history' is also present here and there so not that much can go wrong any more and even a whole server dying does not result in lengthy restore orgies but we simply switch over the DNS name to the backup machine and clients start over at last snapshot

    I would believe what 100.1% of OMV users are doing is right in between those above two scenarios so I'm not that qualified to talk about backup and OMV.


    Wrt OMV and ZFS / btrfs you might want to read through https://github.com/openmediavault/openmediavault/issues/101 (but it will mostly discourage you from using either filesystem. Even if a lot of insane FUD/BS is spread there it might give you an idea about filesystem complexity and which hardware requirements have to be met to fully rely on modern storage approaches)

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!