Date: Mon, 26 Apr 2021 16:50:27 -0400 From: mike tancsa <mike@sentex.net> To: d@delphij.net, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: zfs native encryption best practices on RELENG13 Message-ID: <89f5a96b-60fa-2d99-3f61-42cade6280eb@sentex.net> In-Reply-To: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> References: <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net> <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/23/2021 5:23 PM, Xin Li wrote: > On 4/23/21 13:53, mike tancsa wrote: >> Starting to play around with RELENG_13 and wanted explore ZFS' built i= n >> encryption.=C2=A0 Is there a best practices doc on how to do full disk= >> encryption anywhere thats not GELI based=C2=A0 ?=C2=A0 There are lots = for=20 >> GELI, >> but nothing I could find for native OpenZFS encryption on FreeBSD >> >> i.e box gets rebooted, enter in passphrase to allow it to boot kind of= >> thing from the boot loader prompt ? > I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that is= , > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it). > > BTW instead of entering passphrase at loader prompt, if / is not > encrypted, it's also possible to do something like > https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547= =2Ehtml > . > > Personally I'd probably go with GELI (or other kind of full disk > encryption) regardless if OpenZFS's native encryption is used because m= y > primary goal is to be able to just throw away bad disks when they are > removed from production [1]. If the pool is not fully encrypted, there= > is always a chance that the sensitive data have landed some unencrypted= > datasets and never gets fully overwritten. > > [1] Also keep in mind: https://xkcd.com/538/ Thanks for the perspective and links.=C2=A0 I have a couple of use case scenarios.=C2=A0 One, for devices in somewhat physically untrusted environments.=C2=A0 Someone breaks into the store, and steals the PC.=C2=A0=20 I can see the advantages of GELI to this environment.=C2=A0 The other is the ability for customers to send me encrypted datasets for offsite backup.=C2= =A0 If its encrypted, I have less exposure if the dataset is encrypted and I cant see the contents.=C2=A0=C2=A0 Same for making backups to disks to pu= t in cold storage although yes, I can see GELI having an an advantage again for full disk encryption.=C2=A0 =C2=A0=C2=A0=C2=A0 ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?89f5a96b-60fa-2d99-3f61-42cade6280eb>