Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Sep 2010 21:29:38 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Andriy Bakay <andriy@irbisnet.com>
Cc:        "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>
Subject:   Re: ZFS + GELI data integrity
Message-ID:  <20100917192938.GB1902@garage.freebsd.pl>
In-Reply-To: <op.vi433pxp6f601j@prime.irbisnet.com>
References:  <op.vi433pxp6f601j@prime.irbisnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--JP+T4n/bALQSJXh8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 16, 2010 at 03:22:27PM -0400, Andriy Bakay wrote:
> Hi list(s),
>=20
> I am using ZFS on top of GELI. Does exists any practical reason to enable=
 =20
> GELI data authentication (data integrity) underneath of ZFS? I understand=
 =20
> GELI data integrity is cryptographically strong -- up to HMAC/SHA512, but=
 =20
> ZFS has SHA256 checksum. GELI linked data to sector and will detect if =
=20
> somebody move data around, but my understanding is to move data around =
=20
> consistently one need to decrypt it which is very difficult. Correct me i=
f =20
> I wrong.
>=20
> Any thoughts?

ZFS blocks form z merkle tree (http://en.wikipedia.org/wiki/Hash_tree),
so if you're using cryptographically strong hash, like sha256 within
your pool, I believe it is safe not to use GELI data authentication, but
only encryption. Note, that I'm not cryptographer and this is quite
complex scenario, so what I believe in here might not be true.
Alternatively you could use GELI authetication and turn off ZFS
checksum. When I personally use ZFS on top of GELI, I do just that: GELI
does encryption only and ZFS does authentication with SHA256 checksum.

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--JP+T4n/bALQSJXh8
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEARECAAYFAkyTwaEACgkQForvXbEpPzQIbQCgjA89ID5Jep0BoeeC2kilB8j7
Of4AnRqOnbvFwRE1t+iFkfkCAVXbbofG
=sLC7
-----END PGP SIGNATURE-----

--JP+T4n/bALQSJXh8--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100917192938.GB1902>