From owner-freebsd-stable@freebsd.org Sat Apr 24 03:47:52 2021 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0556A5EF7E7 for ; Sat, 24 Apr 2021 03:47:52 +0000 (UTC) (envelope-from peter@libassi.se) Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FRxvB27hcz4SCp for ; Sat, 24 Apr 2021 03:47:49 +0000 (UTC) (envelope-from peter@libassi.se) Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 37DF61A97C17 for ; Sat, 24 Apr 2021 05:47:47 +0200 (CEST) Received: from s499.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 286D42E2B524; Sat, 24 Apr 2021 05:47:47 +0200 (CEST) Received: from s898.loopia.se (unknown [172.22.191.6]) by s499.loopia.se (Postfix) with ESMTP id 249CD1CE6158; Sat, 24 Apr 2021 05:47:47 +0200 (CEST) X-Virus-Scanned: amavisd-new at amavis.loopia.se X-Spam-Flag: NO X-Spam-Score: -0.999 X-Spam-Level: X-Spam-Status: No, score=-0.999 tagged_above=-999 required=6.2 tests=[ALL_TRUSTED=-1, HTML_MESSAGE=0.001] autolearn=disabled Received: from s630.loopia.se ([172.22.191.5]) by s898.loopia.se (s898.loopia.se [172.22.190.17]) (amavisd-new, port 10024) with LMTP id WW18BtrhX6ya; Sat, 24 Apr 2021 05:47:46 +0200 (CEST) X-Loopia-Auth: user X-Loopia-User: peter@libassi.se X-Loopia-Originating-IP: 78.82.157.54 Received: from [172.16.1.44] (c-369d524e.03-77-73746f30.bbcust.telenor.se [78.82.157.54]) (Authenticated sender: peter@libassi.se) by s630.loopia.se (Postfix) with ESMTPSA id 5D56513B941C; Sat, 24 Apr 2021 05:47:46 +0200 (CEST) From: Peter Libassi Message-Id: <4CFAA2E3-F8B0-41F3-BA2D-4802FC138E8C@libassi.se> Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: zfs native encryption best practices on RELENG13 Date: Sat, 24 Apr 2021 05:47:45 +0200 In-Reply-To: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> Cc: mike tancsa , FreeBSD-STABLE Mailing List , Xin Li To: d@delphij.net References: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FRxvB27hcz4SCp X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of peter@libassi.se designates 93.188.3.37 as permitted sender) smtp.mailfrom=peter@libassi.se X-Spamd-Result: default: False [-2.80 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+a:smtp.outgoing.loopia.se]; RWL_MAILSPIKE_GOOD(0.00)[93.188.3.37:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[93.188.3.37:from]; ASN(0.00)[asn:39570, ipnet:93.188.2.0/23, country:SE]; R_DKIM_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; FREEFALL_USER(0.00)[peter]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; DMARC_NA(0.00)[libassi.se]; SPAMHAUS_ZRD(0.00)[93.188.3.37:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[93.188.3.37:from]; MAILMAN_DEST(0.00)[freebsd-stable] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2021 03:47:52 -0000 > 23 apr. 2021 kl. 23:23 skrev Xin Li via freebsd-stable = : >=20 > On 4/23/21 13:53, mike tancsa wrote: >> Starting to play around with RELENG_13 and wanted explore ZFS' built = in >> encryption. Is there a best practices doc on how to do full disk >> encryption anywhere thats not GELI based ? There are lots for=20 >> GELI, >> but nothing I could find for native OpenZFS encryption on FreeBSD >>=20 >> i.e box gets rebooted, enter in passphrase to allow it to boot kind = of >> thing from the boot loader prompt ? >=20 > I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that = is, > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it). >=20 > BTW instead of entering passphrase at loader prompt, if / is not > encrypted, it's also possible to do something like > = https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.ht= ml > . >=20 > Personally I'd probably go with GELI (or other kind of full disk > encryption) regardless if OpenZFS's native encryption is used because = my > primary goal is to be able to just throw away bad disks when they are > removed from production [1]. If the pool is not fully encrypted, = there > is always a chance that the sensitive data have landed some = unencrypted > datasets and never gets fully overwritten. >=20 > [1] Also keep in mind: https://xkcd.com/538/ >=20 > Cheers, >=20 Yes, I=E2=80=99ve come to the same conclusion. This should be used on a = data-zpool and not on the system-pool (zroot). Encryption is per = dataset. Also if found that if the encrypted dataset is not mounted of = some reason you will be writing to the parent unencrypted dataset.. At = least it works for encrypted thumb_drive, i just posted this quick guide = https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-driv= e.80008/ = /Peter=