From owner-freebsd-hackers@freebsd.org  Sun Sep 13 01:38:21 2020
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B90943E81FD
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Sun, 13 Sep 2020 01:38:21 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BpsZh20C6z4m3G
 for <freebsd-hackers@freebsd.org>; Sun, 13 Sep 2020 01:38:19 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 08D1bxPs021392
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Sun, 13 Sep 2020 01:38:02 GMT (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: eric@metricspace.net
Received: from [10.58.0.10] (dadvw [10.58.0.10])
 by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 08D1c24T013483
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
 Sun, 13 Sep 2020 08:38:02 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: ZFS encryption and loader
To: Eric McCorkle <eric@metricspace.net>, freebsd-hackers@freebsd.org
References: <676dfde0-4202-1dc9-f90c-420fe9bbae27@metricspace.net>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <9bbc0793-25d5-6525-fad5-c74ec836e26e@grosbein.net>
Date: Sun, 13 Sep 2020 08:37:56 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <676dfde0-4202-1dc9-f90c-420fe9bbae27@metricspace.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,LOCAL_FROM,
 NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
 version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 *  2.6 LOCAL_FROM From my domains
 * -2.5 NICE_REPLY_A Looks like a legit reply (A)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 4BpsZh20C6z4m3G
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-2.21 / 15.00]; MID_RHS_MATCH_FROM(0.00)[];
 ARC_NA(0.00)[]; FREEFALL_USER(0.00)[eugen];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 NEURAL_HAM_MEDIUM(-0.89)[-0.889];
 NEURAL_HAM_LONG(-0.94)[-0.936]; MIME_GOOD(-0.10)[text/plain];
 DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 R_SPF_PERMFAIL(0.00)[empty SPF record];
 RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.29)[-0.285];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-hackers]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Sep 2020 01:38:21 -0000

13.09.2020 5:46, Eric McCorkle wrote:

> I'm thinking of migrating to ZFS encryption from GELI in the near future.
> 
> Does anyone know offhand what the state of support for ZFS encryption in
> loader looks like, and if there's support for passing keys to the kernel
> for boot-time loading?  (I can look at adding these if they're missing)

Recently I've learned from one of ZoL maintainers that native
ZFS encryption is not so comprehensive as GELI.

I've been told that native ZFS encryption was initially designed for one specific task:
being able to receive encrypted customer data (backups), verify its integrity without decryption,
store and then receive incremental backups later. Therefore, not all data is hidden with encryption,
for example, dataset names and some other metadata are not.