State of native encryption in ZFS

K. Macy kmacy at freebsd.org
Sat May 14 23:09:37 UTC 2016


On Sat, May 14, 2016 at 1:13 PM, Niall Douglas via freebsd-fs
<freebsd-fs at freebsd.org> wrote:
> On 14 May 2016 at 11:03, Jordan Hubbard wrote:
>
>> It’s not even clear how that encryption would be implemented or exposed.
>>  Per pool?  Per dataset?  Per folder?  Per file?  There have been
>> requests for all of the above at one time or another, and the key
>> management challenges for each are different.  They can also be
>> implemented at a layer above ZFS, given sufficient interest.
>
> If FreeBSD had a bigger PATH_MAX then stackable encryptions layers
> like ecryptfs (encfs?) would be viable choices. Because encrypted
> path components are so long, one runs very rapidly into the maximum
> path on the system when PATH_MAX is so low.
>
> I ended up actually installing ZFS on Linux with ecryptfs on top to
> solve this. Every 15 minutes it ZFS snapshot syncs with the FreeBSD
> edition. This works very well, apart from the poor performance of ZFS
> on Linux.
>
> ZFS handles long paths with ease. FreeBSD currently does not :(
>


AFAICT that's a 1 line patch. Have you tried patching that and
rebuilding kernel, world, and any vulnerable ports?

-M


More information about the freebsd-fs mailing list