From owner-freebsd-fs@FreeBSD.ORG Fri Sep 17 19:30:02 2010 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 251731065672 for ; Fri, 17 Sep 2010 19:30:02 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (60.wheelsystems.com [83.12.187.60]) by mx1.freebsd.org (Postfix) with ESMTP id BF2648FC0A for ; Fri, 17 Sep 2010 19:30:01 +0000 (UTC) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 3F62145C98; Fri, 17 Sep 2010 21:30:00 +0200 (CEST) Received: from localhost (chello089077043238.chello.pl [89.77.43.238]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id E6F8945683; Fri, 17 Sep 2010 21:29:54 +0200 (CEST) Date: Fri, 17 Sep 2010 21:29:38 +0200 From: Pawel Jakub Dawidek To: Andriy Bakay Message-ID: <20100917192938.GB1902@garage.freebsd.pl> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="JP+T4n/bALQSJXh8" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 9.0-CURRENT amd64 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-0.6 required=4.5 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.0.4 Cc: "freebsd-fs@freebsd.org" Subject: Re: ZFS + GELI data integrity X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2010 19:30:02 -0000 --JP+T4n/bALQSJXh8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 16, 2010 at 03:22:27PM -0400, Andriy Bakay wrote: > Hi list(s), >=20 > I am using ZFS on top of GELI. Does exists any practical reason to enable= =20 > GELI data authentication (data integrity) underneath of ZFS? I understand= =20 > GELI data integrity is cryptographically strong -- up to HMAC/SHA512, but= =20 > ZFS has SHA256 checksum. GELI linked data to sector and will detect if = =20 > somebody move data around, but my understanding is to move data around = =20 > consistently one need to decrypt it which is very difficult. Correct me i= f =20 > I wrong. >=20 > Any thoughts? ZFS blocks form z merkle tree (http://en.wikipedia.org/wiki/Hash_tree), so if you're using cryptographically strong hash, like sha256 within your pool, I believe it is safe not to use GELI data authentication, but only encryption. Note, that I'm not cryptographer and this is quite complex scenario, so what I believe in here might not be true. Alternatively you could use GELI authetication and turn off ZFS checksum. When I personally use ZFS on top of GELI, I do just that: GELI does encryption only and ZFS does authentication with SHA256 checksum. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --JP+T4n/bALQSJXh8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkyTwaEACgkQForvXbEpPzQIbQCgjA89ID5Jep0BoeeC2kilB8j7 Of4AnRqOnbvFwRE1t+iFkfkCAVXbbofG =sLC7 -----END PGP SIGNATURE----- --JP+T4n/bALQSJXh8--