<!-- .element: class="logo kubernetes" --> Dompter ses problématiques **RGPD**<br>à grands coups de **ZFS** <small>Alexandre Buisine [@alexbuisine](https://twitter.com/alexbuisine)</small> <small>Sébastien Wacquiez [@swacquie](https://twitter.com/swacquie)</small>  <!-- .element: class="logo enix" --> <small>root@**Sysadmin_Days**:/**9**#</small>

# This talk <span class="fragment">is about our **GDPR** concerns</span> <span class="fragment">as a subcontractor we operate **backups**</span> <span class="fragment">we do not manage directly **final user**'s information,</span> <span class="fragment">but they are part of the data we manipulate</span> <span class="fragment">we therefore must **isolate** backups per customer</span>

# ZFS <span class="fragment">provides quite a list of features :</span> <span class="fragment">volume management</span> <span class="fragment">copy-on-write</span> <span class="fragment">**snapshots**</span> <span class="fragment">RAID-Z</span> <span class="fragment">acceleration</span> <span class="fragment">**data integrity verification**</span> <span class="fragment">automatic repair</span> <span class="fragment">dedup</span> <span class="fragment">**multi-host**</span>

# ZFS 0.8 <span class="fragment">since **0.8.0** in may 2019 :</span> <span class="fragment">device removal,</span> <span class="fragment">pool checkpoints,</span> <span class="fragment">pool TRIM,</span> <span class="fragment">pool initialization,</span> <span class="fragment">project accounting and quota,</span> <span class="fragment">channel programs,</span> <span class="fragment">Pyzfs,</span> <span class="fragment">Direct IO,</span> <span class="fragment">**native encryption**</span> <span class="fragment">**raw encrypted <code style="font-size: 35px">zfs send/receive</code>**</span>

# Basic topology <span class="fragment">how we first moved to **ZFS**</span>

# Basic's pros & cons <span class="fragment green">keys per VM</span> <span class="fragment green">isolated encryption at rest</span> <span class="fragment red">isolation not 100% secure at runtime</span> <span class="fragment red">external key management required</span>

# Zero-trust topology

# Zero trust pros & cons <span class="fragment green">encrypted at rest</span> <span class="fragment green">& runtime</span> <span class="fragment green">keys under customer's responsibility</span> <span class="fragment green">flexible backup and replication architecture</span> <span class="fragment red">requires ZFS on origin host</span>

# Prod ready ? <span class="fragment">we feel so, with various cases of **data recovery**</span> <span class="fragment">**basic topology** is in production</span> <span class="fragment">with a potential key migration to HashiCorp **Vault**</span> <span class="fragment">the **zero trust** approach is planned for early 2020</span>

# and then ... <span class="fragment">[Linux Kernel 5.2 introduced poor ZFS performance](https://www.phoronix.com/scan.php?page=news_item&px=ZFS-On-Linux-Restoring-SIMD)</span> <span class="fragment">[OpenZFS dev-summit](http://open-zfs.org/wiki/OpenZFS_Developer_Summit)</span> <span class="fragment">ZFS avec kubernetes</span>

# formation high five  <!-- .element: class="logo highfive" -->  <!-- .element: class="logo highfive" -->  <!-- .element: class="logo highfive" -->  <!-- .element: class="logo highfive" -->  <!-- .element: class="logo highfive" --> https://enix.io/fr/services/formation  <!-- .element: class="logo qr" -->