Date: Wed, 22 Aug 2018 12:23:13 -0700 From: Sean Fagan <sef@ixsystems.com> To: Alan Somers <asomers@freebsd.org> Cc: Matthew Macy <mmacy@freebsd.org>, FreeBSD CURRENT <freebsd-current@freebsd.org>, freebsd-fs <freebsd-fs@freebsd.org> Subject: Re: Native Encryption for ZFS on FreeBSD CFT Message-ID: <E415D5A9-DBEE-45DC-9AE2-7E50A74B8C2D@ixsystems.com> In-Reply-To: <CAOtMX2iMuLWEQV68MTcvpURacXB5wZMT8yAYySisOfnmCNn=SA@mail.gmail.com> References: <CAPrugNomNQQUZZNgngYRjDEVEU=_KbE2pgG4ajO1Jr4%2BGov2gQ@mail.gmail.com> <CAPrugNpKOYe9VS6Q-Q43t4i51qsxrP0SKW76208rtX-ENWxS5g@mail.gmail.com> <CAOtMX2jGQWm9ZFM_0kqvEt41xrm%2BFTpq6JVK4iK-c20NQjisRg@mail.gmail.com> <AD1101E9-9A3E-41CB-B313-1723123C607B@ixsystems.com> <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com> <9FDF249A-E320-4652-834E-7EEC5C4FB7CA@ixsystems.com> <CAOtMX2iMuLWEQV68MTcvpURacXB5wZMT8yAYySisOfnmCNn=SA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 22, 2018, at 12:20 PM, Alan Somers <asomers@freebsd.org> wrote:
> ]That doesn't answer the question about what happens when dedup is =
turned off. In that case, is the HMAC still used as the IV? If so, =
then watermarking attacks are still possible. If ZFS switches to a =
random IV when dedup is off, then it would probably be ok.
=46rom the same file:
* Initialization Vector (IV): =
=20
* An initialization vector for the encryption algorithms. This is used =
to =20
* "tweak" the encryption algorithms so that two blocks of the same data =
are =20
* encrypted into different ciphertext outputs, thus obfuscating block =
patterns. =20
* The supported encryption modes (AES-GCM and AES-CCM) require that an =
IV is =20
* never reused with the same encryption key. This value is stored =
unencrypted =20
* and must simply be provided to the decryption function. We use a 96 =
bit IV =20
* (as recommended by NIST) for all block encryption. For non-dedup =
blocks we =20
* derive the IV randomly. The first 64 bits of the IV are stored in the =
second =20
* word of DVA[2] and the remaining 32 bits are stored in the upper 32 =
bits of =20
* blk_fill. This is safe because encrypted blocks can't use the upper =
32 bits =20
* of blk_fill. We only encrypt level 0 blocks, which normally have a =
fill count =20
* of 1. The only exception is for DMU_OT_DNODE objects, where the fill =
count of =20
* level 0 blocks is the number of allocated dnodes in that block. The =
on-disk =20
* format supports at most 2^15 slots per L0 dnode block, because the =
maximum =20
* block size is 16MB (2^24). In either case, for level 0 blocks this =
number =20
* will still be smaller than UINT32_MAX so it is safe to store the IV =
in the =20
* top 32 bits of blk_fill, while leaving the bottom 32 bits of the fill =
count =20
* for the dnode code. =
=20
Sean
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E415D5A9-DBEE-45DC-9AE2-7E50A74B8C2D>