On 4/23/2021 5:23 PM, Xin Li wrote: > On 4/23/21 13:53, mike tancsa wrote: >> Starting to play around with RELENG_13 and wanted explore ZFS' built in >> encryption. Is there a best practices doc on how to do full disk >> encryption anywhere thats not GELI based ? There are lots for >> GELI, >> but nothing I could find for native OpenZFS encryption on FreeBSD >> >> i.e box gets rebooted, enter in passphrase to allow it to boot kind of >> thing from the boot loader prompt ? > I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that is, > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it). > > BTW instead of entering passphrase at loader prompt, if / is not > encrypted, it's also possible to do something like > https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html > . > > Personally I'd probably go with GELI (or other kind of full disk > encryption) regardless if OpenZFS's native encryption is used because my > primary goal is to be able to just throw away bad disks when they are > removed from production [1]. If the pool is not fully encrypted, there > is always a chance that the sensitive data have landed some unencrypted > datasets and never gets fully overwritten. > > [1] Also keep in mind: https://xkcd.com/538/
Thanks for the perspective and links. I have a couple of use case scenarios. One, for devices in somewhat physically untrusted environments. Someone breaks into the store, and steals the PC. I can see the advantages of GELI to this environment. The other is the ability for customers to send me encrypted datasets for offsite backup. If its encrypted, I have less exposure if the dataset is encrypted and I cant see the contents. Same for making backups to disks to put in cold storage although yes, I can see GELI having an an advantage again for full disk encryption. ---Mike _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
