Date: Sat, 31 Oct 2020 15:48:00 -0400 From: Eric McCorkle <eric@metricspace.net> To: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: Mounting encrypted ZFS datasets/GELI for users? Message-ID: <794d789d-4056-4152-e7f6-bf9d10d42518@metricspace.net> In-Reply-To: <20201026221215.GB31099@funkthat.com> References: <8d467e98-237f-c6a2-72de-94c0195ec964@metricspace.net> <20201026221215.GB31099@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/26/20 6:12 PM, John-Mark Gurney wrote: > Eric McCorkle wrote this message on Mon, Oct 05, 2020 at 09:45 -0400: >> I'm presently looking into options presented by ZFS encryption. One >> idea I had was something like this (I'm going to go with ZFS for now, >> but you could presumably do something like this with GELI, with more >> effort). > > I'd still recommend using GELI. Even w/ ZFS's native encryption, the > metadata for ZFS remains unencrypted, and able to be munged. If you > geli w/ ZFS and a strong checksum, like sha512/256, I believe that this > is the equiavlent to authenticated encryption, ala geli's authenticated > mode, but with significantly less overhead... Something to note is that GELI's authenticated mode changes the block size, because it uses the last bytes in each block to hold the MAC. This is likely to have consequences for performance. However, this also does suggest a ZFS feature that would create a MAC code for the root block of the filesystem (I am less familiar with the ZFS on-disk format, but as it's a write-once format with MAC information stored at each block pointer, this would have the effect of protecting the entire filesystem from offline tampering. > This has already been implemented in PEFS: > https://pefs.io/ > > and there's already a port for it: > https://www.freshports.org/sysutils/pefs-kmod/ Thanks, I'll look into this.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?794d789d-4056-4152-e7f6-bf9d10d42518>