Date: Tue, 21 Aug 2018 23:56:02 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-current@freebsd.org Subject: Re: Native Encryption for ZFS on FreeBSD CFT Message-ID: <6852700c-b4bd-eee2-13f5-95fd184dd427@freebsd.org> In-Reply-To: <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com> References: <CAPrugNomNQQUZZNgngYRjDEVEU=_KbE2pgG4ajO1Jr4%2BGov2gQ@mail.gmail.com> <CAPrugNpKOYe9VS6Q-Q43t4i51qsxrP0SKW76208rtX-ENWxS5g@mail.gmail.com> <CAOtMX2jGQWm9ZFM_0kqvEt41xrm%2BFTpq6JVK4iK-c20NQjisRg@mail.gmail.com> <AD1101E9-9A3E-41CB-B313-1723123C607B@ixsystems.com> <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --LSCKq6g7VmZ28mRaFwCI13rRplCyeIkTS Content-Type: multipart/mixed; boundary="X0bj2t8L0TEecIfPG2dILvXEEoUKlwqUP"; protected-headers="v1" From: Allan Jude <allanjude@freebsd.org> To: freebsd-current@freebsd.org Message-ID: <6852700c-b4bd-eee2-13f5-95fd184dd427@freebsd.org> Subject: Re: Native Encryption for ZFS on FreeBSD CFT References: <CAPrugNomNQQUZZNgngYRjDEVEU=_KbE2pgG4ajO1Jr4+Gov2gQ@mail.gmail.com> <CAPrugNpKOYe9VS6Q-Q43t4i51qsxrP0SKW76208rtX-ENWxS5g@mail.gmail.com> <CAOtMX2jGQWm9ZFM_0kqvEt41xrm+FTpq6JVK4iK-c20NQjisRg@mail.gmail.com> <AD1101E9-9A3E-41CB-B313-1723123C607B@ixsystems.com> <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com> In-Reply-To: <CAOtMX2gvtzKg=DJChZdcYCiuADNVm9JvhgLNJ7bmwCLArgigjw@mail.gmail.com> --X0bj2t8L0TEecIfPG2dILvXEEoUKlwqUP Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2018-08-21 23:16, Alan Somers wrote: > On Tue, Aug 21, 2018 at 9:13 PM Sean Fagan <sef@ixsystems.com> wrote: >=20 >> On Aug 21, 2018, at 8:11 PM, Alan Somers <asomers@freebsd.org> wrote: >>> The last time I looked (which was a long time ago), Oracle's ZFS >> encryption looked extremely vulnerable to watermarking attacks. Did >> anybody ever fix that? >> >> This isn=E2=80=99t Oracle=E2=80=99s implementation, but I don=E2=80=99= t know how compatible or not >> it is with it. >> >> Sean. >> >=20 > It wasn't just an implementation problem, it was in the design. IIRC, > Oracle's encryption allowed encrypted blocks to be deduplicated. There= 's > pretty much no way to defend against watermarking attacks with such a > design. Does the new encryption design have the same flaw? >=20 > -Alan > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" >=20 There is a presentation from the OpenZFS developers summit that walks through the design. It is not the same as the Oracle version, although relatively similar. Video: https://youtu.be/frnLiXclAMo Slides: https://drive.google.com/file/d/0B5hUzsxe4cdmU3ZTRXNxa2JIaDQ/view?usp=3Ds= haring It says dedup only works within the same 'clone family', and uses a unique IV for every block, except when the data is identical (when it gets deduped) It isn't clear to me from the presentation if this issue is mitigated or not. Slide #26 suggests they have done more than Oracle did. --=20 Allan Jude --X0bj2t8L0TEecIfPG2dILvXEEoUKlwqUP-- --LSCKq6g7VmZ28mRaFwCI13rRplCyeIkTS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJbfN7VAAoJEBmVNT4SmAt+OGAQAOMuYUgAFlPuGRVktO4Ip/fi 47WfDU5afZtyzfhX+NBqDGOOjy01lwRKmUuejMYzI8uPrpxRCmfMHQddEnYjtKAD VLW0uuZUThp+445mkhIIV1ZveDP57n/FtQEHG7Hb1ST5ZbVzZ2C4FAk+g+jOc+Mw kTQjAagw1T7XyUS5O2ylcUhmPLx3kqTL1wEUZvIGuJ8Zujz95OcCfIABsH5eNeyx BMvVxBwP5oPDLmkQzwYOs+oAw8y0dcJ3tew+GtYmm0s6l0eS3l1/RLm355pcfz5o NcLYdPEnEOkyi+v1mxWIS6JJV3Scx3ad5LFYdJ4+gcWoR5DstrngYSCF/nBVbEIB 6X3Xh75ZTWnFLxU/ZGU9SJUdCPoYtLAyPu/aeBKSr02dqz92LAyffk7E1Cl4K/yh EC02f0BR/fim3r2+Lq2IJVfori+J5eVbVMkAqy62P42CRXocVfW1xTa5cqskrbAd LhoZQ58eZhJhlCvF5RclcCssGw7MUQzb9MhHuHbW2JXfn70sj42IEgWFFqQVhdmm jl/Yr5civrKakBdsArxGKDal3CA9WyoWremgHJjKyAp8TIstf1rx++DND8t7Nfcn LnXemavs0/bu+KuQP6nKpzdOwCa9sMpteMR0vJci+vBzJ3C5/18bNvwwBQE6fGfO LFKg1Ifq3Ul3zsaAku85 =wn5l -----END PGP SIGNATURE----- --LSCKq6g7VmZ28mRaFwCI13rRplCyeIkTS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6852700c-b4bd-eee2-13f5-95fd184dd427>