From owner-freebsd-stable@freebsd.org Fri Apr 23 21:23:48 2021 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 452585FF557 for ; Fri, 23 Apr 2021 21:23:48 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "anubis.delphij.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FRnN339rSz3MNk for ; Fri, 23 Apr 2021 21:23:47 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from odin.corp.delphij.net (unknown [IPv6:2601:646:8601:f4a:a804:1d68:1628:3086]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 0F13C44240; Fri, 23 Apr 2021 14:23:40 -0700 (PDT) Reply-To: d@delphij.net To: mike tancsa , FreeBSD-STABLE Mailing List References: From: Xin Li Subject: Re: zfs native encryption best practices on RELENG13 Message-ID: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> Date: Fri, 23 Apr 2021 14:23:38 -0700 User-Agent: Thunderbird MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2CAFCr225FtC3cHmpphDMMLsMOXDh7oYe" X-Rspamd-Queue-Id: 4FRnN339rSz3MNk X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.11 / 15.00]; HAS_REPLYTO(0.00)[d@delphij.net]; RCVD_VIA_SMTP_AUTH(0.00)[]; XM_UA_NO_VERSION(0.01)[]; R_SPF_ALLOW(-0.20)[+a:sirius.delphij.net]; HAS_ATTACHMENT(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[delphij.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[delphij.net,reject]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:470:1:117::25:from]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[delphij.net:s=m7e2]; FREEFALL_USER(0.00)[delphij]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.98)[0.977]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; REPLYTO_DOM_EQ_FROM_DOM(0.00)[]; SPAMHAUS_ZRD(0.00)[2001:470:1:117::25:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-stable] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2021 21:23:48 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2CAFCr225FtC3cHmpphDMMLsMOXDh7oYe Content-Type: multipart/mixed; boundary="k4X6w4mmIDro9uY1VhRHmnKlG8wa7KgIt"; protected-headers="v1" From: Xin Li Reply-To: d@delphij.net To: mike tancsa , FreeBSD-STABLE Mailing List Message-ID: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> Subject: Re: zfs native encryption best practices on RELENG13 References: In-Reply-To: --k4X6w4mmIDro9uY1VhRHmnKlG8wa7KgIt Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 4/23/21 13:53, mike tancsa wrote: > Starting to play around with RELENG_13 and wanted explore ZFS' built in= > encryption.=C2=A0 Is there a best practices doc on how to do full disk > encryption anywhere thats not GELI based=C2=A0 ?=C2=A0 There are lots f= or=20 > GELI, > but nothing I could find for native OpenZFS encryption on FreeBSD >=20 > i.e box gets rebooted, enter in passphrase to allow it to boot kind of > thing from the boot loader prompt ? I think loader do not support the native OpenZFS encryption yet. However, you can encrypt non-essential datasets on a boot pool (that is, if com.datto:encryption is "active" AND the bootfs dataset is not encrypted, you can still boot from it). BTW instead of entering passphrase at loader prompt, if / is not encrypted, it's also possible to do something like https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.h= tml =2E Personally I'd probably go with GELI (or other kind of full disk encryption) regardless if OpenZFS's native encryption is used because my primary goal is to be able to just throw away bad disks when they are removed from production [1]. If the pool is not fully encrypted, there is always a chance that the sensitive data have landed some unencrypted datasets and never gets fully overwritten. [1] Also keep in mind: https://xkcd.com/538/ Cheers, --k4X6w4mmIDro9uY1VhRHmnKlG8wa7KgIt-- --2CAFCr225FtC3cHmpphDMMLsMOXDh7oYe Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEceNg5NEMZIki80nQQHl/fJX0g08FAmCDOtsFAwAAAAAACgkQQHl/fJX0g0/U FxAAnHEVMLwMoX/PgbgDsClR4cng+XCRiD7G9cP2rfEWKglGN0rb34S38N4g7yxbLlsKupCmlTgC tqupWPRkfsf7YVGLghNN4Gpt6ZuK/SgiQ4b0VGvLVYqGyyOceKvLIz+AEg/bMLRoTYWkTFLe+HuX 5c3oS5UVDLsVaym7WLY0xvk2F9fs5MABEiMs2eZhf5hVDPouQhtKXJq6eVBF3D5x08YRq0B0gRoi xV6nHTmKT1owLMrDSTdmIvo+GtcXDgmt3ZcZ09zpDB5GBCOIHbNwJx1OWZnLnjYvx5TVC6b/2gqk 1F0u87pRee+VUTfMkA2UdeLAvnLIgac/sZBV7iqRfOdWfm5Uj23N6WafpUGOh/Czt/Ysrt0n7xiY YpFZQ6mPxve4TKq/fLcV4lsosBTnIG5h9wOCfYQf5BLMPRyNSHy46whaLaOlu6TkwyMNOmNtYIV+ /d0eVVRstcw6RgVst9j47FOLZ6aYQNlhLakxDzdqHgxRqLhUbJ//XyUA2eMvjLYhgDZ/1zLh4tQV zLdztuymqidvsVlY8LznI/xl+9rSM0/8KG9wICiiNtZzPqVJlAYFJCJlSj4wm6nZLaUxWoRRuhYM cDQP99nuCc4FLebu0jERMC3Ehh4SP+8e9Yli84aM2GdZlWMGk9zdYyrSMfWCyszNR/ArtjwixA93 CBk= =tzWF -----END PGP SIGNATURE----- --2CAFCr225FtC3cHmpphDMMLsMOXDh7oYe--