State of native encryption in ZFS

Ruslan Yakauleu quazinode at gmail.com
Sat May 14 18:26:40 UTC 2016


On 14.05.2016 21:03, Jordan Hubbard wrote:
>> On May 14, 2016, at 1:54 AM, Ruslan Yakauleu <quazinode at gmail.com> wrote:
>>
>> I wish to know somethign new about native encryption in ZFS for FreeBSD.
>> Any works in this direction are conducted?
> Short and simple answer:  No.
>
> We also recently talked to Matt Ahrens (essentially the OpenZFS “project lead” and who determines what goes upstream) at the FreeBSD Storage Summit and he expressed very little interest in “native encryption” for ZFS, seeing little to no benefit (for what would be a lot of engineering work) in doing it at the ZFS layer vs simply continuing to use the GELI encryption at the block-device layer that FreeBSD already supports.
>
> It’s not even clear how that encryption would be implemented or exposed.  Per pool?  Per dataset?  Per folder?  Per file?  There have been requests for all of the above at one time or another, and the key management challenges for each are different.  They can also be implemented at a layer above ZFS, given sufficient interest.
>
> - Jordan
>

It is sad.
Solution with GELI can't be moved to other machine if some troubles 
come. Or to other OS. Or from other OS (from Solaris with native 
encryption, from Linux with LUKS). Too many time need to return any data 
from HDD if something happens. Also reliability decreased too (more 
refusal points).
I hope in the future ZFS will be one of most stable and portable FS.

Best regards,
Ruslan Yakauleu




More information about the freebsd-fs mailing list