From owner-freebsd-hackers@freebsd.org Sat Oct 31 19:48:13 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F2F4F454A65 for ; Sat, 31 Oct 2020 19:48:13 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 4CNqV46lKvz3cfs for ; Sat, 31 Oct 2020 19:48:12 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 065D728B8 for ; Sat, 31 Oct 2020 19:48:05 +0000 (UTC) Subject: Re: Mounting encrypted ZFS datasets/GELI for users? To: FreeBSD Hackers References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> <20201026221215.GB31099@funkthat.com> From: Eric McCorkle Message-ID: <794d789d-4056-4152-e7f6-bf9d10d42518@metricspace.net> Date: Sat, 31 Oct 2020 15:48:00 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 MIME-Version: 1.0 In-Reply-To: <20201026221215.GB31099@funkthat.com> Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4CNqV46lKvz3cfs X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of eric@metricspace.net has no SPF policy when checking 2001:470:1f11:617::107) smtp.mailfrom=eric@metricspace.net X-Spamd-Result: default: False [3.18 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FREEFALL_USER(0.00)[eric]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.35)[0.353]; DMARC_NA(0.00)[metricspace.net]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(0.59)[0.591]; NEURAL_SPAM_SHORT(0.24)[0.237]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MAILMAN_DEST(0.00)[freebsd-hackers] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Oct 2020 19:48:14 -0000 On 10/26/20 6:12 PM, John-Mark Gurney wrote: > Eric McCorkle wrote this message on Mon, Oct 05, 2020 at 09:45 -0400: >> I'm presently looking into options presented by ZFS encryption. One >> idea I had was something like this (I'm going to go with ZFS for now, >> but you could presumably do something like this with GELI, with more >> effort). > > I'd still recommend using GELI. Even w/ ZFS's native encryption, the > metadata for ZFS remains unencrypted, and able to be munged. If you > geli w/ ZFS and a strong checksum, like sha512/256, I believe that this > is the equiavlent to authenticated encryption, ala geli's authenticated > mode, but with significantly less overhead... Something to note is that GELI's authenticated mode changes the block size, because it uses the last bytes in each block to hold the MAC. This is likely to have consequences for performance. However, this also does suggest a ZFS feature that would create a MAC code for the root block of the filesystem (I am less familiar with the ZFS on-disk format, but as it's a write-once format with MAC information stored at each block pointer, this would have the effect of protecting the entire filesystem from offline tampering. > This has already been implemented in PEFS: > https://pefs.io/ > > and there's already a port for it: > https://www.freshports.org/sysutils/pefs-kmod/ Thanks, I'll look into this.