ZFS + GELI data integrity

Andriy Bakay andriy at irbisnet.com
Sat Sep 18 01:53:48 UTC 2010


Thanks, Pawel for detailed answer.

Turn off ZFS checksum is not a option at least for me, because I will  
loose self healing I guess. But (ZFS with SHA256) + (GELI only encryption)  
sounds good.

I have another question. I read on OpenSolaris ZFS Dedup FAQ, they used  
not very efficient implementation of ZFS SHA256 checksum:

"However, ZFS uses its own copy of SHA256 and doesn't currently use a  
crypto accelerator or crypto framework."

http://hub.opensolaris.org/bin/view/Community+Group+zfs/dedup

What about FreeBSD implementation of ZFS SHA256 checksum?

Thanks,
Andriy

On Fri, 17 Sep 2010 15:29:38 -0400, Pawel Jakub Dawidek <pjd at freebsd.org>  
wrote:

> On Thu, Sep 16, 2010 at 03:22:27PM -0400, Andriy Bakay wrote:
>> Hi list(s),
>>
>> I am using ZFS on top of GELI. Does exists any practical reason to  
>> enable
>> GELI data authentication (data integrity) underneath of ZFS? I  
>> understand
>> GELI data integrity is cryptographically strong -- up to HMAC/SHA512,  
>> but
>> ZFS has SHA256 checksum. GELI linked data to sector and will detect if
>> somebody move data around, but my understanding is to move data around
>> consistently one need to decrypt it which is very difficult. Correct me  
>> if
>> I wrong.
>>
>> Any thoughts?
>
> ZFS blocks form z merkle tree (http://en.wikipedia.org/wiki/Hash_tree),
> so if you're using cryptographically strong hash, like sha256 within
> your pool, I believe it is safe not to use GELI data authentication, but
> only encryption. Note, that I'm not cryptographer and this is quite
> complex scenario, so what I believe in here might not be true.
> Alternatively you could use GELI authetication and turn off ZFS
> checksum. When I personally use ZFS on top of GELI, I do just that: GELI
> does encryption only and ZFS does authentication with SHA256 checksum.
>


-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/


More information about the freebsd-fs mailing list