zfs native encryption best practices on RELENG13
mike tancsa
mike at sentex.net
Mon Apr 26 20:50:37 UTC 2021
On 4/23/2021 5:23 PM, Xin Li wrote:
> On 4/23/21 13:53, mike tancsa wrote:
>> Starting to play around with RELENG_13 and wanted explore ZFS' built in
>> encryption. Is there a best practices doc on how to do full disk
>> encryption anywhere thats not GELI based ? There are lots for
>> GELI,
>> but nothing I could find for native OpenZFS encryption on FreeBSD
>>
>> i.e box gets rebooted, enter in passphrase to allow it to boot kind of
>> thing from the boot loader prompt ?
> I think loader do not support the native OpenZFS encryption yet.
> However, you can encrypt non-essential datasets on a boot pool (that is,
> if com.datto:encryption is "active" AND the bootfs dataset is not
> encrypted, you can still boot from it).
>
> BTW instead of entering passphrase at loader prompt, if / is not
> encrypted, it's also possible to do something like
> https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html
> .
>
> Personally I'd probably go with GELI (or other kind of full disk
> encryption) regardless if OpenZFS's native encryption is used because my
> primary goal is to be able to just throw away bad disks when they are
> removed from production [1]. If the pool is not fully encrypted, there
> is always a chance that the sensitive data have landed some unencrypted
> datasets and never gets fully overwritten.
>
> [1] Also keep in mind: https://xkcd.com/538/
Thanks for the perspective and links. I have a couple of use case
scenarios. One, for devices in somewhat physically untrusted
environments. Someone breaks into the store, and steals the PC.
I can
see the advantages of GELI to this environment. The other is the
ability for customers to send me encrypted datasets for offsite backup.
If its encrypted, I have less exposure if the dataset is encrypted and I
cant see the contents. Same for making backups to disks to put in cold
storage although yes, I can see GELI having an an advantage again for
full disk encryption.
---Mike
More information about the freebsd-stable
mailing list