ZFS encryption and loader
Daniel Ebdrup Jensen
debdrup at FreeBSD.org
Sun Sep 13 09:08:29 UTC 2020
On Sat, Sep 12, 2020 at 04:52:32PM -0600, Warner Losh wrote:
>On Sat, Sep 12, 2020, 4:49 PM Warner Losh <imp at bsdimp.com> wrote:
>
>>
>>
>> On Sat, Sep 12, 2020, 4:46 PM Eric McCorkle <eric at metricspace.net> wrote:
>>
>>> I'm thinking of migrating to ZFS encryption from GELI in the near future.
>>>
>>> Does anyone know offhand what the state of support for ZFS encryption in
>>> loader looks like, and if there's support for passing keys to the kernel
>>> for boot-time loading? (I can look at adding these if they're missing)
>>>
>>
>> Matt macey did an initial port. I've refined it to fit the stand env
>> better. I need to upstream some things and got stalked there for unrelated
>> reasons.
>>
>
>Wait. I just got crypto and compression confused. The work is on
>compression....
>
>Warner
>
>>
>_______________________________________________
>freebsd-hackers at freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
This came up in another thread, perhaps on another FreeBSD mailing list,
recently - but the gist of it is that as of r364787 [1], you can have a root
pool that isn't encrypted, and use encrypted datasets - as far as I remember,
given the bsdinstall dataset layout, this means that at least the data will be
encrypted.
Thankfully, sef@ added AES-CCM as well as an aesni implementation back in 2019.
Yours,
Daniel Ebdrup Jensen
[1]: https://svnweb.freebsd.org/changeset/base/364787
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20200913/23916068/attachment.sig>
More information about the freebsd-hackers
mailing list