Homelab & Infrastructure

ZFS Snapshots: The Backup That Saved My Business

December 29, 2024 3 min read By Amey Lokare

💥 The Disaster

It was a normal Tuesday. Then I got the alert: "Server encrypted. Pay $10,000 to decrypt."

Ransomware. My server was encrypted. All my data. All my backups. Everything.

Except for one thing: ZFS snapshots.

The savior: ZFS snapshots saved everything. Here's how.

🛡️ How ZFS Snapshots Saved Me

ZFS snapshots are read-only copies of your filesystem at a point in time. They're stored on the same disk, but they can't be modified or deleted by normal processes.

When the ransomware encrypted my files, it couldn't touch the snapshots. They were safe.

📊 The Recovery

Step 1: Identify the Snapshot

I found the last snapshot before the attack:

zfs list -t snapshot

NAME                    USED  AVAIL  REFER  MOUNTPOINT
tank/data@2024-12-29-10:00  500G      -  2.5T  -
tank/data@2024-12-29-11:00  520G      -  2.5T  -
tank/data@2024-12-29-12:00  550G      -  2.5T  -
# Attack happened at 12:30
tank/data@2024-12-29-13:00  2.5T      -  2.5T  -  # Encrypted!

The 12:00 snapshot was clean. That's what I needed.

Step 2: Rollback

Rolled back to the clean snapshot:

zfs rollback tank/data@2024-12-29-12:00

That's it. One command. Everything was back.

✅ My ZFS Snapshot Setup

1. Automated Snapshots

I use sanoid for automated snapshots:

# /etc/sanoid/sanoid.conf
[tank/data]
    use_template = production
    recursive = yes

#############################
# TEMPLATES
#############################

[template_production]
    frequently = 4
    hourly = 24
    daily = 7
    weekly = 4
    monthly = 3
    autosnap = yes
    autoprune = yes

This creates:

  • 4 snapshots every 15 minutes (frequently)
  • 24 hourly snapshots
  • 7 daily snapshots
  • 4 weekly snapshots
  • 3 monthly snapshots

2. Remote Replication

I also replicate snapshots to a remote server:

# Replicate to backup server
zfs send tank/data@2024-12-29-12:00 | \
  ssh backup-server zfs receive backup/tank/data

3. Monitoring

I monitor snapshot creation and disk usage:

# Check snapshot status
zfs list -t snapshot -o name,creation,used

# Alert if snapshots fail
if ! zfs list -t snapshot | grep -q "$(date +%Y-%m-%d)"; then
    echo "WARNING: No snapshot today!" | mail -s "Snapshot Alert" admin@example.com
fi

📊 Snapshot Storage

Snapshots use copy-on-write, so they're space-efficient:

Snapshot Size Description
Base dataset 2.5TB Current data
All snapshots 500GB Only changed blocks

Snapshots only store changes, so they're very space-efficient.

💡 Best Practices

  1. Automate snapshots: Use sanoid or similar tools
  2. Replicate remotely: Don't keep all backups on one server
  3. Test recovery: Regularly test restoring from snapshots
  4. Monitor space: Snapshots can fill your disk
  5. Document process: Know how to restore before you need to

🎯 Key Takeaways

  • ZFS snapshots saved everything from ransomware
  • Snapshots are read-only and can't be encrypted
  • Automated snapshots are essential
  • Remote replication provides extra safety
  • Test your recovery process regularly

ZFS snapshots are the best backup solution I've used. They're fast, efficient, and saved my business. If you're not using them, you should be.

#ZFS #Storage #Disaster Recovery #Backups

Share this post

Twitter LinkedIn Facebook WhatsApp

Comments

Leave a Comment

Related Posts

Setting Up Proxmox with ZFS Storage: A Home Lab Infrastructure Guide

Dec 09, 2024

ZFS Is Amazing—Until It Isn't: Hard Truths About Storage Pools

Dec 14, 2024

TrueNAS Scale: Great Until You Need to Recover Data

Dec 23, 2024