Re: zfs native encryption best practices on RELENG13

2021-04-26 Thread Alan Somers 
On Mon, Apr 26, 2021 at 3:04 PM mike tancsa  wrote:

> On 4/23/2021 11:47 PM, Peter Libassi wrote:
> > Yes, I’ve come to the same conclusion. This should be used on a
> > data-zpool and not on the system-pool (zroot). Encryption is per
> > dataset. Also if found that if the encrypted dataset is not mounted of
> > some reason you will be writing to the parent unencrypted dataset.. At
> > least it works for encrypted thumb_drive, i just posted this quick
> > guide
> https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/
> > <
> https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/
> >
> >
> >
> >
>
> Thanks, good points to consider!  I wonder too if there are any
> performance differences
>
> ---Mike
>

Yes there are.  Firstly, if you're using raid, then geli must encrypt both
data and parity.  ZFS crypto, however, only encrypts data because it
operates at a higher level.  That's a pretty substantial performance win
for ZFS during writes.  It's a nonissue for reads from a healthy array,
since ZFS doesn't need to read parity in that case.  Secondly, ZFS crypto
doesn't yet support hardware acceleration.  That's a huge win for geli if
you happen to have a hardware crypto engine (for this purpose AESNI does
not count as hardware, and it works fine with either geli or ZFS).
Thirdly, in my benchmarks I found about a 5% speed advantage for GELI
during reads, though I don't know why.  But of course none of this matters
if you're using a small number of HDDs.  It's only an issue if you have
fast SSDs or a large number of HDDs.
-Alan
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: zfs native encryption best practices on RELENG13

2021-04-26 Thread mike tancsa 
On 4/23/2021 11:47 PM, Peter Libassi wrote:
> Yes, I’ve come to the same conclusion. This should be used on a
> data-zpool and not on the system-pool (zroot). Encryption is per
> dataset. Also if found that if the encrypted dataset is not mounted of
> some reason you will be writing to the parent unencrypted dataset.. At
> least it works for encrypted thumb_drive, i just posted this quick
> guide 
> https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/
> 
>
>
>

Thanks, good points to consider!  I wonder too if there are any
performance differences

    ---Mike


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: zfs native encryption best practices on RELENG13

2021-04-26 Thread mike tancsa 
On 4/23/2021 5:23 PM, Xin Li wrote:
> On 4/23/21 13:53, mike tancsa wrote:
>> Starting to play around with RELENG_13 and wanted explore ZFS' built in
>> encryption.  Is there a best practices doc on how to do full disk
>> encryption anywhere thats not GELI based  ?  There are lots for 
>> GELI,
>> but nothing I could find for native OpenZFS encryption on FreeBSD
>>
>> i.e box gets rebooted, enter in passphrase to allow it to boot kind of
>> thing from the boot loader prompt ?
> I think loader do not support the native OpenZFS encryption yet.
> However, you can encrypt non-essential datasets on a boot pool (that is,
> if com.datto:encryption is "active" AND the bootfs dataset is not
> encrypted, you can still boot from it).
>
> BTW instead of entering passphrase at loader prompt, if / is not
> encrypted, it's also possible to do something like
> https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html
> .
>
> Personally I'd probably go with GELI (or other kind of full disk
> encryption) regardless if OpenZFS's native encryption is used because my
> primary goal is to be able to just throw away bad disks when they are
> removed from production [1].  If the pool is not fully encrypted, there
> is always a chance that the sensitive data have landed some unencrypted
> datasets and never gets fully overwritten.
>
> [1] Also keep in mind: https://xkcd.com/538/

Thanks for the perspective and links.  I have a couple of use case
scenarios.  One, for devices in somewhat physically untrusted
environments.  Someone breaks into the store, and steals the PC.  
I can
see the advantages of GELI to this environment.  The other is the
ability for customers to send me encrypted datasets for offsite backup. 
If its encrypted, I have less exposure if the dataset is encrypted and I
cant see the contents.   Same for making backups to disks to put in cold
storage although yes, I can see GELI having an an advantage again for
full disk encryption. 


    ---Mike


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: zfs native encryption best practices on RELENG13

2021-04-24 Thread Andrea Venturoli 

On 4/23/21 11:23 PM, Xin Li via freebsd-stable wrote:


I think loader do not support the native OpenZFS encryption yet.
However, you can encrypt non-essential datasets on a boot pool (that is,
if com.datto:encryption is "active" AND the bootfs dataset is not
encrypted, you can still boot from it).


This is what my tests showed too (on 12.2 with OpenZFS from ports).

This is in contrast to what is written here:
https://openzfs.github.io/openzfs-docs/Getting%20Started/FreeBSD.html

Can we get that page corrected?

 bye & Thanks
av.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: zfs native encryption best practices on RELENG13

2021-04-23 Thread Peter Libassi 


> 23 apr. 2021 kl. 23:23 skrev Xin Li via freebsd-stable 
> :
> 
> On 4/23/21 13:53, mike tancsa wrote:
>> Starting to play around with RELENG_13 and wanted explore ZFS' built in
>> encryption.  Is there a best practices doc on how to do full disk
>> encryption anywhere thats not GELI based  ?  There are lots for 
>> GELI,
>> but nothing I could find for native OpenZFS encryption on FreeBSD
>> 
>> i.e box gets rebooted, enter in passphrase to allow it to boot kind of
>> thing from the boot loader prompt ?
> 
> I think loader do not support the native OpenZFS encryption yet.
> However, you can encrypt non-essential datasets on a boot pool (that is,
> if com.datto:encryption is "active" AND the bootfs dataset is not
> encrypted, you can still boot from it).
> 
> BTW instead of entering passphrase at loader prompt, if / is not
> encrypted, it's also possible to do something like
> https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html
> .
> 
> Personally I'd probably go with GELI (or other kind of full disk
> encryption) regardless if OpenZFS's native encryption is used because my
> primary goal is to be able to just throw away bad disks when they are
> removed from production [1].  If the pool is not fully encrypted, there
> is always a chance that the sensitive data have landed some unencrypted
> datasets and never gets fully overwritten.
> 
> [1] Also keep in mind: https://xkcd.com/538/
> 
> Cheers,
> 
Yes, I’ve come to the same conclusion. This should be used on a data-zpool and 
not on the system-pool (zroot). Encryption is per dataset. Also if found that 
if the encrypted dataset is not mounted of some reason you will be writing to 
the parent unencrypted dataset.. At least it works for encrypted thumb_drive, i 
just posted this quick guide 
https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/
 


/Peter
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: zfs native encryption best practices on RELENG13

2021-04-23 Thread Xin Li via freebsd-stable 
On 4/23/21 13:53, mike tancsa wrote:
> Starting to play around with RELENG_13 and wanted explore ZFS' built in
> encryption.  Is there a best practices doc on how to do full disk
> encryption anywhere thats not GELI based  ?  There are lots for 
> GELI,
> but nothing I could find for native OpenZFS encryption on FreeBSD
> 
> i.e box gets rebooted, enter in passphrase to allow it to boot kind of
> thing from the boot loader prompt ?

I think loader do not support the native OpenZFS encryption yet.
However, you can encrypt non-essential datasets on a boot pool (that is,
if com.datto:encryption is "active" AND the bootfs dataset is not
encrypted, you can still boot from it).

BTW instead of entering passphrase at loader prompt, if / is not
encrypted, it's also possible to do something like
https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html
.

Personally I'd probably go with GELI (or other kind of full disk
encryption) regardless if OpenZFS's native encryption is used because my
primary goal is to be able to just throw away bad disks when they are
removed from production [1].  If the pool is not fully encrypted, there
is always a chance that the sensitive data have landed some unencrypted
datasets and never gets fully overwritten.

[1] Also keep in mind: https://xkcd.com/538/

Cheers,



OpenPGP_signature
Description: OpenPGP digital signature

zfs native encryption best practices on RELENG13

2021-04-23 Thread mike tancsa 
Starting to play around with RELENG_13 and wanted explore ZFS' built in
encryption.  Is there a best practices doc on how to do full disk
encryption anywhere thats not GELI based  ?  There are lots for 
GELI,
but nothing I could find for native OpenZFS encryption on FreeBSD

i.e box gets rebooted, enter in passphrase to allow it to boot kind of
thing from the boot loader prompt ?

    ---Mike


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"