From nobody Wed Aug 23 07:34:56 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RVyfX4lrDz4rF4W for ; Wed, 23 Aug 2023 07:35:00 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RVyfW0z4Cz4Zb7 for ; Wed, 23 Aug 2023 07:34:59 +0000 (UTC) (envelope-from infoomatic@gmx.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.at header.s=s31663417 header.b=gqO7dJ0p; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.17.21 as permitted sender) smtp.mailfrom=infoomatic@gmx.at; dmarc=pass (policy=none) header.from=gmx.at DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.at; s=s31663417; t=1692776097; x=1693380897; i=infoomatic@gmx.at; bh=PrdNA715mp2FDFuXL52bwtu4cROnydH/Bl6K2yWufBY=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=gqO7dJ0pi5Z2qe3n8xLMhZH0p0/NCt3ozvt+y6YFiT9TZE76Y/n64Mzgz5Y4973LgIAL8nI bgoH7eQpXoAorIcWX2hAqVUfFdrkFqMVKuih92DRRV4n+wP1JB8WXLKh2l+/CHjEen4EtDNty Fh2W1qLzGagIJ7KRlQVY8Ylw/eDFv5kOUX/HgORUiukrFjspOmIvsg/Rs2NMXc1JIisRSS1Tc ql6qONhPJ2XeGD6y3M7u9CvJ/T/psjoPqWQwaUo+mThZ0DcjmtNuODkMJdAdjcVkr4LijI1cS bgx3rmAsrgSRlxyqexkPPd7YUfgZUVgB1xtfYCvbOGo1evH6EPFQ== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [10.0.1.209] ([178.114.187.129]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M2f9b-1qa5q21LRv-004Dsw for ; Wed, 23 Aug 2023 09:34:57 +0200 Message-ID: Date: Wed, 23 Aug 2023 09:34:56 +0200 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Subject: Re: Is ZFS native encryption safe to use? Content-Language: en-US To: questions@freebsd.org References: <0e7d2657-f857-01a8-f764-33b9c62c11f1@netfence.it> From: infoomatic In-Reply-To: <0e7d2657-f857-01a8-f764-33b9c62c11f1@netfence.it> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:tJ+3+zukk46KnMK2K49n8HSRXP8MMitR9i47xuAd1w+SZUEBKAz 02yd1gv1jwmw3M7ggTm9JoP6IlUF0Lm5myjaetoWHH66RzEuOC3C4kXkFgU9soR8SDTcbKi ffJjS53K50K4Gu59gWS1gk7hMylmODE5olNIzpfTvsn/ri/xEbId+rEKMr3D1mzyYIHKH2s +0nkGKZ5TJh8u93jA/OIQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:mD9MP2dajQQ=;TKGdzF2pLjTBJwpbBh7FszC3CmH obqIVEQxB5atv4QbKPjAQHU2lPySN3l9wqlNF+w+Lwxq6NzMFIGXwIMWmfKueIbxypCoxoWGB Z2q8StT9WEFnB/GQ71uk50VD8gBU6NVD5lvE9GISeuDGzvUO0M4nfuy72pC3OOLVqjEDf0FhT S4QEAqMolItJB8Sq8uKn73SHQbJh+mVYNlWBVFAjQFIq6XTBvzo1EKdmdFlNmkyfAEeDuUAlZ SNAiBFk0Xh0PESUuyqMEGc8rVA+EItW6ChaSGfZa57NUPX5oysr/2Xuhk1qibSjNgOy0z0s7M UUyG4juAB6KS2ef+v/556F+Yal4KVv9PMbaJxodqD2UPlV9zNoCYRyetrTky50UBngw/JaPCD Ejb0mcNAk+xIr2qGEKrvVTWb8BgkX1WJw4BP5XYRiiEGl5eivFJuMlXrvSHFFDt5FiebQf6PY nS8+WuSeNnefwHwH8X8yUkEkM42MG384hkNSLcv0uWZXrUPS9uThaTz5ty1OKLwNhNDfw1sfB 2kP12obwP/RaMYZD8OXbEohljYWd5gTKx4Wzo8aN3MTUNLLrbIp0fQw4YZvCpbjyWdJ2CJ6nq 4c87fjsRHfy3frbJYWuOsVUhm12zQ1llztomSXXK+HOJzFgPLdt9ywM9UokuQiKG8Zufu6cwy WUX7dTWKdFWFUQnzb4pmdLRIJ/1GMyIPUEiGYoUTXsBfGE2Xbuyu/xFxsaGdSRPOOdnKwXVvw /fIKqAvTVfUgqpWQBtxK2JcIJjb03sPffFxbgJbxanPkiBq/VxmGR3p0zJLEw5gKgAWrT1zgG k+3r7h6WFi8XJasoCEaIbL7I7fez4Fn0+bNCZUOQYjUq9404L+aR+8DWOPdcFnLl1geNQaYD6 TrGz4vuNg1/v74JrGTmaoKDtdrArOHp80z8VsJ+BNadsLgcLpGBc6rpRD9EXjEZQzP5j09UXt C2ZVrg== X-Spamd-Result: default: False [-2.53 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.53)[-0.535]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; R_SPF_ALLOW(-0.20)[+ip4:212.227.17.0/27]; R_DKIM_ALLOW(-0.20)[gmx.at:s=s31663417]; ONCE_RECEIVED(0.10)[]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.17.21:from]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.17.21:from]; DKIM_TRACE(0.00)[gmx.at:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Spamd-Bar: -- X-Rspamd-Queue-Id: 4RVyfW0z4Cz4Zb7 last time (when 13.0 was released) I compared them: *) GELI + normal zfs was significantly faster than encrypted-zfs *) encrypted zfs to share files between Linux and FreeBSD did not work properly, resulting in Files non-readable on FreeBSD On 23.08.23 09:32, Andrea Venturoli wrote: > On 8/23/23 03:02, iio7@tutanota.com wrote: > > Hello. > Just my 2c... > > >> There seems to be a bit of open (and rather old) ZFS native encryption >> bugs which still haven't been fixed and it doesn't look like it is >> something that is being working on. >> >> Last night I was going to move some important files from an unencrypted >> dataset to a new encrypted (ZFS native) one, but then got my doubts >> about doing that (looking at all the different open GitHub issues on >> OpenZFS). > > Could you please provide links to these discussions/bugs? > > > > >> What is the general experience running with ZFS native encryption on >> FreeBSD? > > I'm using it on three machines with no issues so far. > >> Is it better to use GELI for the whole pool instead? > > If possible, I prefer GELI. > > However, I want to be able to let the machine boot without having to > type a passphrase, SSH in and activate the encrypted partitions/dataset. > In the past I used to have two partitions (a "plain" one for a non > encrypted pool and a GELI one for the encypted pool); however this fixes > the sizes of the two pools and leads to some hassle when one might get > full while the other still has space; so I'm moving to a single ZFS pool > with some encrypted datasets. > > =C2=A0bye > =C2=A0=C2=A0=C2=A0=C2=A0av. >