From owner-freebsd-fs@freebsd.org Wed Aug 22 18:30:11 2018 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6EF5C10918D2 for ; Wed, 22 Aug 2018 18:30:11 +0000 (UTC) (envelope-from sef@ixsystems.com) Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E28BE83554 for ; Wed, 22 Aug 2018 18:30:10 +0000 (UTC) (envelope-from sef@ixsystems.com) Received: by mail-pg1-x535.google.com with SMTP id m3-v6so387557pgp.6 for ; Wed, 22 Aug 2018 11:30:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ixsystems-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5bQQP2lkwg92kML+IoMdcz/5c9zPBB0qC3JdQIS4MlQ=; b=ck553h83UCxcqDHzUVf/6nQhTcUCGMAmEQzf6rZCrCUl5nCMHn/QqXH5UkwieRV/hF nGVNmimFeT7cBTLObq2YC18a221j6SpXknm017MApI+ll9SPYFoOHv1UIIWNYdq7UGUA mnop5VkIaopR3EYa8a0pxQlWyFwH9GiRCrqCn5Epv/cspBSz5rxm4e+LZbMxgROVxEHV Ac97FwEj62JweQuDHI2g7dHhbbcIJDyPKY1bEz93itq1OaYN+RDhD7xWet1euRJN60jS 5F/Gmrgdyb4GcT8D3QN94HXCnScSt4ica1/FPIMEgvC9e0WV7XDYsav/gdPcZeXctX6/ X5rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5bQQP2lkwg92kML+IoMdcz/5c9zPBB0qC3JdQIS4MlQ=; b=jgkJnweE/6XmKmZ+92q+xalioSsxwo92MIfNoPNISHaQE9EBJzC4stOZLsYCmZEZw+ kCsXbIkD/ceVn9BKjY+7Jn3gi0/7QWrXsDcJM3LgKj8PFog9Xa02XjfXozcalfKK8oZc VKYseOyapLBoCHlnL7tqh6aiSbbsmcpmW3HG51UVruG4ABnaw7fpojpD682jSBLJxEK0 Iq47ri548WWtp0sh4T3mbLcFMIhWnP8BIXYV8bfcI5eqT36XCSrPn/zre9IjwY0BMjDV UbVFcWMJGy1Kgl6MuUUkaDQ/UDy+AxDx+lbCf8xwt7r0EA8ckD6Az787tctZaH0RBEjS yCZA== X-Gm-Message-State: APzg51Csw5s1gl+XzCneyy7+QR5tT87dCGdo0PSKhdYC8qaNoRFG6Vok zmSra4ZSKAcmFiPC7Nhsn4tzzg== X-Google-Smtp-Source: ANB0VdaeQMKvfYHml2udXcqguR3LDNGU+XFfxHD7J2XqC3B3/jydTZvo94Mvr4IpE1SZkBF2wIG1Og== X-Received: by 2002:a62:384a:: with SMTP id f71-v6mr7929340pfa.48.1534962610065; Wed, 22 Aug 2018 11:30:10 -0700 (PDT) Received: from [10.250.1.167] ([12.229.62.29]) by smtp.gmail.com with ESMTPSA id k1-v6sm2950804pfi.62.2018.08.22.11.30.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Aug 2018 11:30:08 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Native Encryption for ZFS on FreeBSD CFT From: Sean Fagan In-Reply-To: Date: Wed, 22 Aug 2018 11:30:07 -0700 Cc: Matthew Macy , FreeBSD CURRENT , freebsd-fs Content-Transfer-Encoding: quoted-printable Message-Id: <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com> References: To: Alan Somers X-Mailer: Apple Mail (2.3273) X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Aug 2018 18:30:11 -0000 On Aug 21, 2018, at 8:16 PM, Alan Somers wrote: >=20 > > The last time I looked (which was a long time ago), Oracle's ZFS = encryption looked extremely vulnerable to watermarking attacks. Did = anybody ever fix that? This is the comment about dedup in zio_crypt.c: * CONSIDERATIONS FOR DEDUP: * In order for dedup to work, blocks that we want to dedup with one = another * need to use the same IV and encryption key, so that they will have = the same * ciphertext. Normally, one should never reuse an IV with the same = encryption * key or else AES-GCM and AES-CCM can both actually leak the plaintext = of both * blocks. In this case, however, since we are using the same plaintext = as * well all that we end up with is a duplicate of the original = ciphertext we * already had. As a result, an attacker with read access to the raw = disk will * be able to tell which blocks are the same but this information is = given away * by dedup anyway. In order to get the same IVs and encryption keys for * equivalent blocks of data we use an HMAC of the plaintext. We use an = HMAC * here so that a reproducible checksum of the plaintext is never = available to * the attacker. The HMAC key is kept alongside the master key, = encrypted on * disk. The first 64 bits of the HMAC are used in place of the random = salt, and * the next 96 bits are used as the IV. As a result of this mechanism, = dedup * will only work within a clone family since encrypted dedup requires = use of * the same master and HMAC keys. (So, same issue. I don=E2=80=99t think encryption and deduplication = should live together, so I would not have made that choice.) Sean.