Mounting encrypted ZFS datasets/GELI for users?
Eric McCorkle
eric at metricspace.net
Sat Oct 31 19:48:14 UTC 2020
On 10/26/20 6:12 PM, John-Mark Gurney wrote:
> Eric McCorkle wrote this message on Mon, Oct 05, 2020 at 09:45 -0400:
>> I'm presently looking into options presented by ZFS encryption. One
>> idea I had was something like this (I'm going to go with ZFS for now,
>> but you could presumably do something like this with GELI, with more
>> effort).
>
> I'd still recommend using GELI. Even w/ ZFS's native encryption, the
> metadata for ZFS remains unencrypted, and able to be munged. If you
> geli w/ ZFS and a strong checksum, like sha512/256, I believe that this
> is the equiavlent to authenticated encryption, ala geli's authenticated
> mode, but with significantly less overhead...
Something to note is that GELI's authenticated mode changes the block
size, because it uses the last bytes in each block to hold the MAC.
This is likely to have consequences for performance.
However, this also does suggest a ZFS feature that would create a MAC
code for the root block of the filesystem (I am less familiar with the
ZFS on-disk format, but as it's a write-once format with MAC information
stored at each block pointer, this would have the effect of protecting
the entire filesystem from offline tampering.
> This has already been implemented in PEFS:
> https://pefs.io/
>
> and there's already a port for it:
> https://www.freshports.org/sysutils/pefs-kmod/
Thanks, I'll look into this.
More information about the freebsd-hackers
mailing list