Date: Sun, 13 Sep 2020 11:08:27 +0200 From: Daniel Ebdrup Jensen <debdrup@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: Re: ZFS encryption and loader Message-ID: <20200913090827.kdfnnx76n2yknmiw@nerd-thinkpad.local> In-Reply-To: <CANCZdfqxURFgXE00Gk8_XmaoiQFp78QRp-DFu9uLR5G8KBb%2B0Q@mail.gmail.com> References: <676dfde0-4202-1dc9-f90c-420fe9bbae27@metricspace.net> <CANCZdfpGrAPp1ZKreqaZFCRJVmqnd49HFOzRBw5X8PZgmQS9Lg@mail.gmail.com> <CANCZdfqxURFgXE00Gk8_XmaoiQFp78QRp-DFu9uLR5G8KBb%2B0Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--ggara5xsymlqyn7w Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 12, 2020 at 04:52:32PM -0600, Warner Losh wrote: >On Sat, Sep 12, 2020, 4:49 PM Warner Losh <imp@bsdimp.com> wrote: > >> >> >> On Sat, Sep 12, 2020, 4:46 PM Eric McCorkle <eric@metricspace.net> wrote: >> >>> I'm thinking of migrating to ZFS encryption from GELI in the near futur= e. >>> >>> Does anyone know offhand what the state of support for ZFS encryption in >>> loader looks like, and if there's support for passing keys to the kernel >>> for boot-time loading? (I can look at adding these if they're missing) >>> >> >> Matt macey did an initial port. I've refined it to fit the stand env >> better. I need to upstream some things and got stalked there for unrelat= ed >> reasons. >> > >Wait. I just got crypto and compression confused. The work is on >compression.... > >Warner > >> >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" This came up in another thread, perhaps on another FreeBSD mailing list,=20 recently - but the gist of it is that as of r364787 [1], you can have a roo= t=20 pool that isn't encrypted, and use encrypted datasets - as far as I remembe= r,=20 given the bsdinstall dataset layout, this means that at least the data will= be=20 encrypted. Thankfully, sef@ added AES-CCM as well as an aesni implementation back in 2= 019. Yours, Daniel Ebdrup Jensen [1]: https://svnweb.freebsd.org/changeset/base/364787 --ggara5xsymlqyn7w Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEDonNJPbg/JLIMoS6Ps5hSHzN87oFAl9d4YpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDBF ODlDRDI0RjZFMEZDOTJDODMyODRCQTNFQ0U2MTQ4N0NDREYzQkEACgkQPs5hSHzN 87pmvAgAg/iw98/iz16ED3A22bgxdOsQGU5lVJjjexXDFbCDv1SYRx6au36XiH4T CmyxqomVHAbkTJugNfsn5dWjCP7LB/QR41SAF1jDaVDtVPcTubf5ioIfu0ffi3oF dKfiUG9VgOEivaCWES8t+jJLnrzIfxhqS6N5Aatp+lDKCZY6G2Q8Pon2EE0fkIs8 WLfpp/kB3rsW2Syufk+/SaWgwf9ZUV6nBEsqOgyBY45ineLJB139cb6RgC9n5iTA 9mhRi0OtzwjEvfNH4/yjeOZBSQKuPpgJIZp/RxN6IIr8Z37kBCGN311jvURDzWWv S83LUZs+hHXyCsORpNTGZCHSPMjJZA== =O/ai -----END PGP SIGNATURE----- --ggara5xsymlqyn7w--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200913090827.kdfnnx76n2yknmiw>