- Restrict
zfs and zpool administration to limited privileged roles.
- Use sudo rules for audited command-level delegation.
- Protect host access and disable unnecessary services.
¶ Dataset and Encryption Strategy
- Use native ZFS encryption for sensitive datasets.
- Separate datasets by workload and sensitivity.
- Control dataset mountpoints and avoid permissive inheritance mistakes.
¶ Snapshot and Backup Security
- Use immutable snapshot retention policy where possible.
- Replicate snapshots to offline or isolated targets.
- Regularly test snapshot restore and rollback procedures.
¶ Health and Integrity Monitoring
- Schedule scrubs and monitor checksum/self-healing events.
- Alert on pool degradation, disk errors, and capacity pressure.
- Keep firmware, kernel, and ZFS stack patched.