Filesystem enryption

Antonio Huete Jiménez tuxillo at
Fri Jan 30 07:59:58 PST 2015

Hi Konrad,

The only way that comes to mind in order to achieve that would be  
using 'hammer mirror-read' piped to some encryption utility like  
openssl or gnupg in order to have on the fly encrypted filesystem  
PFSes and then transfer the files to the backup location.

Something like this:
(Note that this assumes you have a working gpg setup)


# hammer mirror-read /var | gzip -c | gpg --symmetric --cipher-algo  
AES192 --output pfs.var.gz.enc
Prescan to break up bulk transfer
Enter passphrase

Prescan 1 chunks, total 241 MBytes (253446328)
Please re-enter this passphrase
Enter passphrase

Please re-enter this passphrase
Mirror-read /var succeeded

# chmod 400 pfs.var.gz.enc
# ls -tlhr pfs.var.gz.enc
-r--------  1 root  wheel   193M Jan 30 16:46 pfs.var.gz.enc


# gpg --decrypt pfs.var.gz.enc | gunzip -c | hammer -y mirror-write /pfs/myvar
gpg: AES192 encrypted data
gpg: encrypted with 1 passphrase
PFS slave /pfs/myvar does not exist. Auto create new slave PFS!
Creating PFS #9 succeeded!
     operating as a SLAVE
     snapshots directory defaults to /var/hammer/<pfs>
Source can update synctid to 0x0000000111c45d60

There is a way also to do incremental backups but it would be more  
complicated. You can have a look at this to grasp the idea:

Antonio Huete

Quoting Konrad Neuwirth <konrad at>:

> Hello everyone,
> I've read about cryptsetup and device mapper, but this is is not  
> quite what I have in mind :-).
> I am curious whether there is a way to have a HAMMER filesystem  
> encrypted so that I can mirror it to another location, where only  
> the encrypted data is stored. But here, locally, of course, I would  
> be interested in using the filesystem normally. The benefit would be  
> that I can copy back from the encrypted storage and have my  
> filesystem back, yet do not need to trust the backup location.
> Is there any way to achieve that?
> Thank you,
>  Konrad

