State of native encryption in ZFS
Ruslan Yakauleu
quazinode at gmail.com
Sat May 14 18:26:40 UTC 2016
On 14.05.2016 21:03, Jordan Hubbard wrote:
>> On May 14, 2016, at 1:54 AM, Ruslan Yakauleu <quazinode at gmail.com> wrote:
>>
>> I wish to know somethign new about native encryption in ZFS for FreeBSD.
>> Any works in this direction are conducted?
> Short and simple answer: No.
>
> We also recently talked to Matt Ahrens (essentially the OpenZFS “project lead” and who determines what goes upstream) at the FreeBSD Storage Summit and he expressed very little interest in “native encryption” for ZFS, seeing little to no benefit (for what would be a lot of engineering work) in doing it at the ZFS layer vs simply continuing to use the GELI encryption at the block-device layer that FreeBSD already supports.
>
> It’s not even clear how that encryption would be implemented or exposed. Per pool? Per dataset? Per folder? Per file? There have been requests for all of the above at one time or another, and the key management challenges for each are different. They can also be implemented at a layer above ZFS, given sufficient interest.
>
> - Jordan
>
It is sad.
Solution with GELI can't be moved to other machine if some troubles
come. Or to other OS. Or from other OS (from Solaris with native
encryption, from Linux with LUKS). Too many time need to return any data
from HDD if something happens. Also reliability decreased too (more
refusal points).
I hope in the future ZFS will be one of most stable and portable FS.
Best regards,
Ruslan Yakauleu
More information about the freebsd-fs
mailing list