Date: Sat, 24 Apr 2021 05:47:45 +0200 From: Peter Libassi <peter@libassi.se> To: d@delphij.net Cc: mike tancsa <mike@sentex.net>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, Xin Li <delphij@delphij.net> Subject: Re: zfs native encryption best practices on RELENG13 Message-ID: <4CFAA2E3-F8B0-41F3-BA2D-4802FC138E8C@libassi.se> In-Reply-To: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> References: <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net> <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> 23 apr. 2021 kl. 23:23 skrev Xin Li via freebsd-stable = <freebsd-stable@freebsd.org>: >=20 > On 4/23/21 13:53, mike tancsa wrote: >> Starting to play around with RELENG_13 and wanted explore ZFS' built = in >> encryption. Is there a best practices doc on how to do full disk >> encryption anywhere thats not GELI based ? There are lots for=20 >> GELI, >> but nothing I could find for native OpenZFS encryption on FreeBSD >>=20 >> i.e box gets rebooted, enter in passphrase to allow it to boot kind = of >> thing from the boot loader prompt ? >=20 > I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that = is, > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it). >=20 > BTW instead of entering passphrase at loader prompt, if / is not > encrypted, it's also possible to do something like > = https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.ht= ml > . >=20 > Personally I'd probably go with GELI (or other kind of full disk > encryption) regardless if OpenZFS's native encryption is used because = my > primary goal is to be able to just throw away bad disks when they are > removed from production [1]. If the pool is not fully encrypted, = there > is always a chance that the sensitive data have landed some = unencrypted > datasets and never gets fully overwritten. >=20 > [1] Also keep in mind: https://xkcd.com/538/ >=20 > Cheers, >=20 Yes, I=E2=80=99ve come to the same conclusion. This should be used on a = data-zpool and not on the system-pool (zroot). Encryption is per = dataset. Also if found that if the encrypted dataset is not mounted of = some reason you will be writing to the parent unencrypted dataset.. At = least it works for encrypted thumb_drive, i just posted this quick guide = https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-driv= e.80008/ = <https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-dri= ve.80008/> /Peter=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CFAA2E3-F8B0-41F3-BA2D-4802FC138E8C>