From owner-freebsd-fs@FreeBSD.ORG Sat Sep 18 01:53:47 2010 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E24281065673 for ; Sat, 18 Sep 2010 01:53:47 +0000 (UTC) (envelope-from andriy@irbisnet.com) Received: from smtp103.rog.mail.re2.yahoo.com (smtp103.rog.mail.re2.yahoo.com [206.190.36.81]) by mx1.freebsd.org (Postfix) with SMTP id A6BBD8FC0A for ; Sat, 18 Sep 2010 01:53:46 +0000 (UTC) Received: (qmail 93157 invoked from network); 18 Sep 2010 01:53:45 -0000 Received: from smtp.irbisnet.com (andriy@99.235.226.221 with login) by smtp103.rog.mail.re2.yahoo.com with SMTP; 17 Sep 2010 18:53:45 -0700 PDT X-Yahoo-SMTP: dz9sigaswBA5kWoYWVTZrGHmIs2vaKgG1w-- X-YMail-OSG: _cRN7ZYVM1mzU4nuNIwmkWbg652UM7t29BrZJksm_69WDli D1MzLKGcgW1.jCAa9Azi.fTT3.OmPWhOjkFit_IRalu4qRhEExhsXWVkR0No nsZR8kzrmKk6_pVypodHxhO_g7Uh_PPr2eW60pO5NIJty1KlngNrjTI_rWfA Myj2t59LvkWQLD2c66qb6RukcF6JPlL8ZxbKTGko5kVylwT2gOCmmFmKtdjZ OLLSTwLxk99Vb4AEAh7ODpbVmLmTBsrHmoKrf3FDew6nQH.blLp35RbzOEem k0G_BsTuTrn3qrnpax.OpiKDXjSU6A5fb_PBDTC3viXY2gqn_rr2dIOpD8nk m3wlf_15pguNXJh9obNdttWHLnebvj1HUUjke3WyNIq9hqm.ltTbKoTYu9Qh SIQjLzTTWv9QYrZmYyGV0vgIqOMP59aAgBVGOzHMBWOkX X-Yahoo-Newman-Property: ymail-3 Received: from prime.irbisnet.com (prime.irbisnet.vpn [10.78.76.4]) by smtp.irbisnet.com (Postfix) with ESMTPSA id DEACA11425; Fri, 17 Sep 2010 21:53:43 -0400 (EDT) Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: "Pawel Jakub Dawidek" References: <20100917192938.GB1902@garage.freebsd.pl> Date: Fri, 17 Sep 2010 21:53:36 -0400 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Andriy Bakay" Message-ID: In-Reply-To: <20100917192938.GB1902@garage.freebsd.pl> User-Agent: Opera Mail/10.61 (FreeBSD) Cc: "freebsd-fs@freebsd.org" Subject: Re: ZFS + GELI data integrity X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2010 01:53:48 -0000 Thanks, Pawel for detailed answer. Turn off ZFS checksum is not a option at least for me, because I will loose self healing I guess. But (ZFS with SHA256) + (GELI only encryption) sounds good. I have another question. I read on OpenSolaris ZFS Dedup FAQ, they used not very efficient implementation of ZFS SHA256 checksum: "However, ZFS uses its own copy of SHA256 and doesn't currently use a crypto accelerator or crypto framework." http://hub.opensolaris.org/bin/view/Community+Group+zfs/dedup What about FreeBSD implementation of ZFS SHA256 checksum? Thanks, Andriy On Fri, 17 Sep 2010 15:29:38 -0400, Pawel Jakub Dawidek wrote: > On Thu, Sep 16, 2010 at 03:22:27PM -0400, Andriy Bakay wrote: >> Hi list(s), >> >> I am using ZFS on top of GELI. Does exists any practical reason to >> enable >> GELI data authentication (data integrity) underneath of ZFS? I >> understand >> GELI data integrity is cryptographically strong -- up to HMAC/SHA512, >> but >> ZFS has SHA256 checksum. GELI linked data to sector and will detect if >> somebody move data around, but my understanding is to move data around >> consistently one need to decrypt it which is very difficult. Correct me >> if >> I wrong. >> >> Any thoughts? > > ZFS blocks form z merkle tree (http://en.wikipedia.org/wiki/Hash_tree), > so if you're using cryptographically strong hash, like sha256 within > your pool, I believe it is safe not to use GELI data authentication, but > only encryption. Note, that I'm not cryptographer and this is quite > complex scenario, so what I believe in here might not be true. > Alternatively you could use GELI authetication and turn off ZFS > checksum. When I personally use ZFS on top of GELI, I do just that: GELI > does encryption only and ZFS does authentication with SHA256 checksum. > -- Using Opera's revolutionary email client: http://www.opera.com/mail/