Skip to content

How to Calculate the Odds of Physical Attack Data Loss for a ZFS Array

jdrch edited this page Oct 11, 2019 · 19 revisions

Note: this method should be generalizable to other array and filesystem types. The general method is:

  1. Calculate the number of data loss drive destruction combinations for a given number of destroyed drives
  2. Calculate the number of non-data loss drive destruction combinations for a given number of destroyed drives
  3. Sum the above
  4. Divide 1) by 3)

Problem Statement

Consider a ZFS array with a given redundancy level, r. Assume a physical attacker with no knowledge of the array's configuration destroys r + 1 (the minimum number of destroyed drives necessary to result in data loss) drives. What is the probability that said destruction actually results in data loss?

Independence of Problem from Drive Specs and Reliability

Because the drives are being deliberately and randomly destroyed, this calculation is completely independent of drive specs and reliability data. For example, a drive's AFR has no effect on whether it is destroyed when tossed into a shredder.

For a thorough discussion on array reliability based on drive specs and reliability, see High Availability and Disaster Recovery, Concepts, Design, Implementation by Klaus Schmidt.


ZFS arrays stripe data across vdevs at the top level, with no parity. This means the loss of a single vdev in a ZFS array results in data loss.

It is possible for a ZFS array to lose more than r + 1 drives without suffering data loss. Consider, for example, an array containing 2 x 4 HDD RAIDZ2 vdevs. The redundancy is given by the "2", meaning that each vdev can lose 2 HDDs without suffering data loss. If either vdev by itself loses 3 or more HDDs, though, the array suffers data loss. Ergo r + 1 in this case is 2 + 1 = 3.

However, what if both vdevs lose 2 HDDs each, for a total of 4 HDDs? Because neither vdev has exceeded its redundancy, neither would suffer data loss.

Solution Method

Clearly, the aforesaid is a probability problem. What might not be immediately obvious, though, is that it's also a combinations problem. For a quick primer on this, see the Combinations heading here.

The key equation to keep in mind here is the one that gives the number of unique combinations (read: order doesn't matter, no repetition) in which r items can be chosen from a larger set of n items:

Eq. 1: n!/(r!(n - r)!)

2 array types are considered, those containing only:

  • RAIDZr
  • mirror


The following variables are defined:

  • F, the minimum number of destroyed drives necessary for data loss
    • F = 2 for all ZFS arrays containing mirrors
    • F = r + 1 for ZFS array containing RAIDZr vdevs only

N, the total number of drives the array has before any drive destruction

V, the total number of vdevs

D, the number of drives per vdev = N/V

L, the total number of combinations of F destroyed drives that result in data loss

I, the total number of combinations of F destroyed drives that do not result in data loss

C, L + I


Calculating L

Data loss occurs whenever F drives are destroyed per vdev. Combinatorically, this is the same as picking any 3 drives from a vdev. The number of such combinations per vdev is therefore:

D!/(F!(D - F)!)

However, because this can be done for each vdev and only needs to happen to 1 vdev for data loss to occur, the above expression must be multiplied by V, such that:

L = V(D!/(F!(D - F)!))

Clone this wiki locally