Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Apr 2021 21:46:04 -0600
From:      Alan Somers <asomers@freebsd.org>
To:        mike tancsa <mike@sentex.net>
Cc:        Peter Libassi <peter@libassi.se>,  FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>
Subject:   Re: zfs native encryption best practices on RELENG13
Message-ID:  <CAOtMX2hgmuySdVFPxpGCKFPRz1Vj1-2vxfHxxgdp_yebsLH7hg@mail.gmail.com>
In-Reply-To: <c3b59fb0-21d1-625f-865d-307b374d0dbf@sentex.net>
References:  <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net> <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> <4CFAA2E3-F8B0-41F3-BA2D-4802FC138E8C@libassi.se> <c3b59fb0-21d1-625f-865d-307b374d0dbf@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Apr 26, 2021 at 3:04 PM mike tancsa <mike@sentex.net> wrote:

> On 4/23/2021 11:47 PM, Peter Libassi wrote:
> > Yes, I=E2=80=99ve come to the same conclusion. This should be used on a
> > data-zpool and not on the system-pool (zroot). Encryption is per
> > dataset. Also if found that if the encrypted dataset is not mounted of
> > some reason you will be writing to the parent unencrypted dataset.. At
> > least it works for encrypted thumb_drive, i just posted this quick
> > guide
> https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-dri=
ve.80008/
> > <
> https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-dri=
ve.80008/
> >
> >
> >
> >
>
> Thanks, good points to consider!  I wonder too if there are any
> performance differences
>
>     ---Mike
>

Yes there are.  Firstly, if you're using raid, then geli must encrypt both
data and parity.  ZFS crypto, however, only encrypts data because it
operates at a higher level.  That's a pretty substantial performance win
for ZFS during writes.  It's a nonissue for reads from a healthy array,
since ZFS doesn't need to read parity in that case.  Secondly, ZFS crypto
doesn't yet support hardware acceleration.  That's a huge win for geli if
you happen to have a hardware crypto engine (for this purpose AESNI does
not count as hardware, and it works fine with either geli or ZFS).
Thirdly, in my benchmarks I found about a 5% speed advantage for GELI
during reads, though I don't know why.  But of course none of this matters
if you're using a small number of HDDs.  It's only an issue if you have
fast SSDs or a large number of HDDs.
-Alan

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2hgmuySdVFPxpGCKFPRz1Vj1-2vxfHxxgdp_yebsLH7hg>