Re: Zfs encryption property for freebsd 8.3
On Tue, Sep 3, 2013 at 9:01 AM, Florent Peterschmitt wrote: > Le 03/09/2013 16:53, Alan Somers a écrit : >> GELI is full-disk encryption. It's far superior to ZFS encryption. > > Yup, but is there a possibility to encrypt a ZFS volume (not a whole > pool) with a separate GELI partition? You mean encrypt a zvol with GELI and put a file system on that? I suppose that would work, but I bet that it would be slow. > > Also, in-ZFS encryption would be a nice thing if it could work like an > LVM/LUKS where each logical LVM volume can be encrypted or not and have > its own crypt key. My understanding is that this is exactly how Oracle's ZFS encryption works. Each ZFS filesystem can have its own key, or be in plaintext. Every cryptosystem involves a tradeoff between security and convenience, and ZFS encryption goes fairly hard toward convenience. In particular, Oracle decided that encrypted files must be deduplicatable. A necessary result is that they are trivially vulnerable to watermarking attacks. https://blogs.oracle.com/darren/entry/zfs_encryption_what_is_on > > I saw that Illumos has ZFS encrytion in the TODO list. > > -- > Florent Peterschmitt | Please: > flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. > +33 (0)6 64 33 97 92 | * Send PDF for documents. > http://florent.peterschmitt.fr | * Trim your quotations. Really. > Proudly powered by Open Source | Thank you :) > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Zfs encryption property for freebsd 8.3
Le 03/09/2013 16:53, Alan Somers a écrit : > GELI is full-disk encryption. It's far superior to ZFS encryption. Yup, but is there a possibility to encrypt a ZFS volume (not a whole pool) with a separate GELI partition? Also, in-ZFS encryption would be a nice thing if it could work like an LVM/LUKS where each logical LVM volume can be encrypted or not and have its own crypt key. I saw that Illumos has ZFS encrytion in the TODO list. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) signature.asc Description: OpenPGP digital signature
Re: Zfs encryption property for freebsd 8.3
On Tue, Sep 3, 2013 at 6:22 AM, Florent Peterschmitt wrote: > Le 03/09/2013 14:14, Emre Çamalan a écrit : >> Hi, >> I want to encrypt some disk on my server with Zfs encryption property but it >> is not available. > > "That would require ZFS v30. As far as I am aware Oracle has not > released the code under CDDL." Oracle's ZFS encryption is crap anyway. It works at the filesystem level, not the pool level, so a lot of metadata is in plaintext; I don't remember how much exactly. It's also highly vulnerable to watermarking attacks. > > From http://forums.freebsd.org/showthread.php?t=30036 > > So you can use ZFS pools on GELI volumes, it can be a good start. I not > play with it. GELI is full-disk encryption. It's far superior to ZFS encryption. > > -- > Florent Peterschmitt | Please: > flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. > +33 (0)6 64 33 97 92 | * Send PDF for documents. > http://florent.peterschmitt.fr | * Trim your quotations. Really. > Proudly powered by Open Source | Thank you :) > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
Re: Zfs encryption property for freebsd 8.3
Le 03/09/2013 14:14, Emre Çamalan a écrit : > Hi, > I want to encrypt some disk on my server with Zfs encryption property but it > is not available. "That would require ZFS v30. As far as I am aware Oracle has not released the code under CDDL." From http://forums.freebsd.org/showthread.php?t=30036 So you can use ZFS pools on GELI volumes, it can be a good start. I not play with it. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) signature.asc Description: OpenPGP digital signature
