From nobody Wed Aug 23 02:44:52 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RVrD054Rhz4qqV8 for ; Wed, 23 Aug 2023 02:45:04 +0000 (UTC) (envelope-from pete@nomadlogic.org) Received: from mail.nomadlogic.org (mail.nomadlogic.org [66.165.241.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.nomadlogic.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RVrCz4qq2z3NGB for ; Wed, 23 Aug 2023 02:45:03 +0000 (UTC) (envelope-from pete@nomadlogic.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=nomadlogic.org header.s=04242021 header.b=UB8ihj0b; spf=pass (mx1.freebsd.org: domain of pete@nomadlogic.org designates 66.165.241.226 as permitted sender) smtp.mailfrom=pete@nomadlogic.org; dmarc=pass (policy=quarantine) header.from=nomadlogic.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nomadlogic.org; s=04242021; t=1692758695; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x8zJcnPQJT7gZwGQp25uXGC2fqavfRBoDww+4WdodME=; b=UB8ihj0b1fwjZP8v20fqv3hCsocCAPeVTEEjgOjRRKouAVbMsJ3J4ZosUzQRXmOeYVb0ed AI1up2t/faA8B1SYgYXFMMpTb4IDXPQYCxbFFWudYCbo9hzGWk64adnCHYRbZM6OyOdWgB ymN8ABp+wzMhLyIzv2QEYzQ9hVzjmsY= Received: from [192.168.1.160] (cpe-24-24-168-214.socal.res.rr.com [24.24.168.214]) by mail.nomadlogic.org (OpenSMTPD) with ESMTPSA id 40586c03 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for ; Wed, 23 Aug 2023 02:44:55 +0000 (UTC) Message-ID: Date: Tue, 22 Aug 2023 19:44:52 -0700 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Subject: Re: Is ZFS native encryption safe to use? Content-Language: en-US To: questions@freebsd.org References: From: Pete Wright In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-3.00 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; DMARC_POLICY_ALLOW(-0.50)[nomadlogic.org,quarantine]; R_DKIM_ALLOW(-0.20)[nomadlogic.org:s=04242021]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; BLOCKLISTDE_FAIL(0.00)[24.24.168.214:server fail,66.165.241.226:server fail]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; DKIM_TRACE(0.00)[nomadlogic.org:+]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:29802, ipnet:66.165.240.0/22, country:US]; RCVD_TLS_ALL(0.00)[] X-Spamd-Bar: -- X-Rspamd-Queue-Id: 4RVrCz4qq2z3NGB On 8/22/23 18:02, iio7@tutanota.com wrote: > There seems to be a bit of open (and rather old) ZFS native encryption > bugs which still haven't been fixed and it doesn't look like it is > something that is being working on. > > Last night I was going to move some important files from an unencrypted > dataset to a new encrypted (ZFS native) one, but then got my doubts > about doing that (looking at all the different open GitHub issues on > OpenZFS). > > There exist some rumors about the original company which did the ZFS > native encryption work (the person doing the work left the company), > and they haven't done more since. > > What is the general experience running with ZFS native encryption on > FreeBSD? Is it better to use GELI for the whole pool instead? > I am not familiar with the development status of OpenZFS native encryption, but I use both GELI and native encryption. IMHO they serve different use-cases. I tend to prefer GELI, it works really well on FreeBSD in my experience and performance has been a non-issue on both my workstation and server systems. I also think it tends to be well suited if you are trying to ensure 3rd parties are not able to access your data if they obtain a disk. For example, in a colo environment FDE is the way to go if you can't physically ensure your disks are being destroyed correctly. I use ZFS native encryption when GELI isn't suitable. For example I will use this for sensitive VM images on my servers. The attack vector I'm trying to protect myself against is someone gaining access to my hypervisor and trying to seal a VM image. Generally I feel like the utility of this is pretty minor - if someone has rooted my box they can just grab the info they want at run time since I'll already have decrypted the disk when mounting it. Having said all of that, I've had zero issues with both implementations in terms of perf and reliability. At the end of the day it comes down to what your use-case is. I've found 9 times out of 10 GELI is the way to go in my experience. -pete -- Pete Wright pete@nomadlogic.org @nomadlogicLA