From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 3 16:20:06 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 24FD7C05 for ; Tue, 3 Sep 2013 16:20:06 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-qa0-x233.google.com (mail-qa0-x233.google.com [IPv6:2607:f8b0:400d:c00::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DB9E328BD for ; Tue, 3 Sep 2013 16:20:05 +0000 (UTC) Received: by mail-qa0-f51.google.com with SMTP id bv4so1400498qab.3 for ; Tue, 03 Sep 2013 09:20:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=5YiBa43sincJofJb5i+QtekDEGxDN0la1ylhgm1V/xw=; b=CAhzfcxgJw8P0005YVs9ttmH7cbutPfY10XIGL0RfpEAi6qM/DdrPWw8dBNbEvGnGg ZSqhq7k32ukrVWUGe+uKftFxt8OFvxlNRKC4LhwPcmrghhg3qeoOz/IJsmHSns4QyBid +7ejZc0gbQky0TxVgafXrlSLypKpCU1JkaPsFx2mK7RJCKml6Dqs3N2lfBKGDpSFkRgY cg/nJbXRBmh1mwNbrxSXPZ48kTwcWqBQL5sNpbonBgMVO1EYzw9e3RtEz6fInAOfaRul uHA5G/2vnuhh1TRfHusi6Ngv8aJnt9EVG5zMCdgdwZvIUlK2VGFH2qDBnHmUqzm0Gs0H eRZA== MIME-Version: 1.0 X-Received: by 10.224.23.134 with SMTP id r6mr1833287qab.34.1378225205077; Tue, 03 Sep 2013 09:20:05 -0700 (PDT) Sender: asomers@gmail.com Received: by 10.49.39.101 with HTTP; Tue, 3 Sep 2013 09:20:05 -0700 (PDT) In-Reply-To: <5225F9E3.4000101@peterschmitt.fr> References: <226721378210462@web15j.yandex.ru> <5225D49B.2080807@peterschmitt.fr> <5225F9E3.4000101@peterschmitt.fr> Date: Tue, 3 Sep 2013 10:20:05 -0600 X-Google-Sender-Auth: wS-Wr16hxBKttJf-HQeCf4fgt-w Message-ID: Subject: Re: Zfs encryption property for freebsd 8.3 From: Alan Somers To: Florent Peterschmitt Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2013 16:20:06 -0000 On Tue, Sep 3, 2013 at 9:01 AM, Florent Peterschmitt wrote: > Le 03/09/2013 16:53, Alan Somers a =E9crit : >> GELI is full-disk encryption. It's far superior to ZFS encryption. > > Yup, but is there a possibility to encrypt a ZFS volume (not a whole > pool) with a separate GELI partition? You mean encrypt a zvol with GELI and put a file system on that? I suppose that would work, but I bet that it would be slow. > > Also, in-ZFS encryption would be a nice thing if it could work like an > LVM/LUKS where each logical LVM volume can be encrypted or not and have > its own crypt key. My understanding is that this is exactly how Oracle's ZFS encryption works. Each ZFS filesystem can have its own key, or be in plaintext. Every cryptosystem involves a tradeoff between security and convenience, and ZFS encryption goes fairly hard toward convenience. In particular, Oracle decided that encrypted files must be deduplicatable. A necessary result is that they are trivially vulnerable to watermarking attacks. https://blogs.oracle.com/darren/entry/zfs_encryption_what_is_on > > I saw that Illumos has ZFS encrytion in the TODO list. > > -- > Florent Peterschmitt | Please: > florent@peterschmitt.fr | * Avoid HTML/RTF in E-mail. > +33 (0)6 64 33 97 92 | * Send PDF for documents. > http://florent.peterschmitt.fr | * Trim your quotations. Really. > Proudly powered by Open Source | Thank you :) >