Date: Fri, 17 Sep 2010 21:53:36 -0400 From: "Andriy Bakay" <andriy@irbisnet.com> To: "Pawel Jakub Dawidek" <pjd@freebsd.org> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org> Subject: Re: ZFS + GELI data integrity Message-ID: <op.vi7gvmex6f601j@prime.irbisnet.com> In-Reply-To: <20100917192938.GB1902@garage.freebsd.pl> References: <op.vi433pxp6f601j@prime.irbisnet.com> <20100917192938.GB1902@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, Pawel for detailed answer. Turn off ZFS checksum is not a option at least for me, because I will loose self healing I guess. But (ZFS with SHA256) + (GELI only encryption) sounds good. I have another question. I read on OpenSolaris ZFS Dedup FAQ, they used not very efficient implementation of ZFS SHA256 checksum: "However, ZFS uses its own copy of SHA256 and doesn't currently use a crypto accelerator or crypto framework." http://hub.opensolaris.org/bin/view/Community+Group+zfs/dedup What about FreeBSD implementation of ZFS SHA256 checksum? Thanks, Andriy On Fri, 17 Sep 2010 15:29:38 -0400, Pawel Jakub Dawidek <pjd@freebsd.org> wrote: > On Thu, Sep 16, 2010 at 03:22:27PM -0400, Andriy Bakay wrote: >> Hi list(s), >> >> I am using ZFS on top of GELI. Does exists any practical reason to >> enable >> GELI data authentication (data integrity) underneath of ZFS? I >> understand >> GELI data integrity is cryptographically strong -- up to HMAC/SHA512, >> but >> ZFS has SHA256 checksum. GELI linked data to sector and will detect if >> somebody move data around, but my understanding is to move data around >> consistently one need to decrypt it which is very difficult. Correct me >> if >> I wrong. >> >> Any thoughts? > > ZFS blocks form z merkle tree (http://en.wikipedia.org/wiki/Hash_tree), > so if you're using cryptographically strong hash, like sha256 within > your pool, I believe it is safe not to use GELI data authentication, but > only encryption. Note, that I'm not cryptographer and this is quite > complex scenario, so what I believe in here might not be true. > Alternatively you could use GELI authetication and turn off ZFS > checksum. When I personally use ZFS on top of GELI, I do just that: GELI > does encryption only and ZFS does authentication with SHA256 checksum. > -- Using Opera's revolutionary email client: http://www.opera.com/mail/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.vi7gvmex6f601j>