Date: Mon, 26 Apr 2021 16:50:27 -0400 From: mike tancsa <mike@sentex.net> To: d@delphij.net, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: zfs native encryption best practices on RELENG13 Message-ID: <89f5a96b-60fa-2d99-3f61-42cade6280eb@sentex.net> In-Reply-To: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> References: <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net> <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net>
index | next in thread | previous in thread | raw e-mail
On 4/23/2021 5:23 PM, Xin Li wrote: > On 4/23/21 13:53, mike tancsa wrote: >> Starting to play around with RELENG_13 and wanted explore ZFS' built in >> encryption. Is there a best practices doc on how to do full disk >> encryption anywhere thats not GELI based ? There are lots for >> GELI, >> but nothing I could find for native OpenZFS encryption on FreeBSD >> >> i.e box gets rebooted, enter in passphrase to allow it to boot kind of >> thing from the boot loader prompt ? > I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that is, > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it). > > BTW instead of entering passphrase at loader prompt, if / is not > encrypted, it's also possible to do something like > https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html > . > > Personally I'd probably go with GELI (or other kind of full disk > encryption) regardless if OpenZFS's native encryption is used because my > primary goal is to be able to just throw away bad disks when they are > removed from production [1]. If the pool is not fully encrypted, there > is always a chance that the sensitive data have landed some unencrypted > datasets and never gets fully overwritten. > > [1] Also keep in mind: https://xkcd.com/538/ Thanks for the perspective and links. I have a couple of use case scenarios. One, for devices in somewhat physically untrusted environments. Someone breaks into the store, and steals the PC. I can see the advantages of GELI to this environment. The other is the ability for customers to send me encrypted datasets for offsite backup. If its encrypted, I have less exposure if the dataset is encrypted and I cant see the contents. Same for making backups to disks to put in cold storage although yes, I can see GELI having an an advantage again for full disk encryption. ---Mikehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?89f5a96b-60fa-2d99-3f61-42cade6280eb>