Date: Tue, 3 Sep 2013 10:20:05 -0600 From: Alan Somers <asomers@freebsd.org> To: Florent Peterschmitt <florent@peterschmitt.fr> Cc: freebsd-hackers@freebsd.org Subject: Re: Zfs encryption property for freebsd 8.3 Message-ID: <CAOtMX2ivt6muEiH0RDh_Q2HpN%2BS2LMLQ8seqQV7QLi22Xf0JRA@mail.gmail.com> In-Reply-To: <5225F9E3.4000101@peterschmitt.fr> References: <226721378210462@web15j.yandex.ru> <5225D49B.2080807@peterschmitt.fr> <CAOtMX2hdbY52Wh=B=ByrX7BM%2B-hHNnbtKG9S_uMBCLT5pEE-gw@mail.gmail.com> <5225F9E3.4000101@peterschmitt.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 3, 2013 at 9:01 AM, Florent Peterschmitt <florent@peterschmitt.fr> wrote: > Le 03/09/2013 16:53, Alan Somers a =E9crit : >> GELI is full-disk encryption. It's far superior to ZFS encryption. > > Yup, but is there a possibility to encrypt a ZFS volume (not a whole > pool) with a separate GELI partition? You mean encrypt a zvol with GELI and put a file system on that? I suppose that would work, but I bet that it would be slow. > > Also, in-ZFS encryption would be a nice thing if it could work like an > LVM/LUKS where each logical LVM volume can be encrypted or not and have > its own crypt key. My understanding is that this is exactly how Oracle's ZFS encryption works. Each ZFS filesystem can have its own key, or be in plaintext. Every cryptosystem involves a tradeoff between security and convenience, and ZFS encryption goes fairly hard toward convenience. In particular, Oracle decided that encrypted files must be deduplicatable. A necessary result is that they are trivially vulnerable to watermarking attacks. https://blogs.oracle.com/darren/entry/zfs_encryption_what_is_on > > I saw that Illumos has ZFS encrytion in the TODO list. > > -- > Florent Peterschmitt | Please: > florent@peterschmitt.fr | * Avoid HTML/RTF in E-mail. > +33 (0)6 64 33 97 92 | * Send PDF for documents. > http://florent.peterschmitt.fr | * Trim your quotations. Really. > Proudly powered by Open Source | Thank you :) >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2ivt6muEiH0RDh_Q2HpN%2BS2LMLQ8seqQV7QLi22Xf0JRA>