ZFS encryption and loader
Eric McCorkle
eric at metricspace.net
Wed Sep 16 01:58:38 UTC 2020
On 9/12/20 9:37 PM, Eugene Grosbein wrote:
> 13.09.2020 5:46, Eric McCorkle wrote:
>
>> I'm thinking of migrating to ZFS encryption from GELI in the near future.
>>
>> Does anyone know offhand what the state of support for ZFS encryption in
>> loader looks like, and if there's support for passing keys to the kernel
>> for boot-time loading? (I can look at adding these if they're missing)
>
> Recently I've learned from one of ZoL maintainers that native
> ZFS encryption is not so comprehensive as GELI.
>
> I've been told that native ZFS encryption was initially designed for one specific task:
> being able to receive encrypted customer data (backups), verify its integrity without decryption,
> store and then receive incremental backups later. Therefore, not all data is hidden with encryption,
> for example, dataset names and some other metadata are not.
>
I've looked into this prior, and you're right. The metadata that
remains unencrypted shouldn't be a security risk, unless you're leaking
info through your dataset names or something. I don't know enough about
ZFS to know whether encryption for that stuff could be added later.
One big advantage you get is per-block single-use keys and tight
integration of AEAD. I would regard this as more trustworthy than
repeatedly encrypting with the same key. It also opens the door to some
interesting proactive security features.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20200915/d0247b85/attachment.sig>
More information about the freebsd-hackers
mailing list