ZFS + GELI data integrity
Pawel Jakub Dawidek
pjd at FreeBSD.org
Fri Sep 17 19:30:02 UTC 2010
On Thu, Sep 16, 2010 at 03:22:27PM -0400, Andriy Bakay wrote:
> Hi list(s),
>
> I am using ZFS on top of GELI. Does exists any practical reason to enable
> GELI data authentication (data integrity) underneath of ZFS? I understand
> GELI data integrity is cryptographically strong -- up to HMAC/SHA512, but
> ZFS has SHA256 checksum. GELI linked data to sector and will detect if
> somebody move data around, but my understanding is to move data around
> consistently one need to decrypt it which is very difficult. Correct me if
> I wrong.
>
> Any thoughts?
ZFS blocks form z merkle tree (http://en.wikipedia.org/wiki/Hash_tree),
so if you're using cryptographically strong hash, like sha256 within
your pool, I believe it is safe not to use GELI data authentication, but
only encryption. Note, that I'm not cryptographer and this is quite
complex scenario, so what I believe in here might not be true.
Alternatively you could use GELI authetication and turn off ZFS
checksum. When I personally use ZFS on top of GELI, I do just that: GELI
does encryption only and ZFS does authentication with SHA256 checksum.
--
Pawel Jakub Dawidek http://www.wheelsystems.com
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20100917/0dce1a18/attachment.pgp
More information about the freebsd-fs
mailing list