Date: Fri, 23 Apr 2021 14:23:38 -0700 From: Xin Li <delphij@delphij.net> To: mike tancsa <mike@sentex.net>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Subject: Re: zfs native encryption best practices on RELENG13 Message-ID: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> In-Reply-To: <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net> References: <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2CAFCr225FtC3cHmpphDMMLsMOXDh7oYe Content-Type: multipart/mixed; boundary="k4X6w4mmIDro9uY1VhRHmnKlG8wa7KgIt"; protected-headers="v1" From: Xin Li <delphij@delphij.net> Reply-To: d@delphij.net To: mike tancsa <mike@sentex.net>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org> Message-ID: <56a4a35f-b4d7-661a-f59b-8cd399784e6e@delphij.net> Subject: Re: zfs native encryption best practices on RELENG13 References: <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net> In-Reply-To: <e79a8278-0fd8-532f-2a72-87d43cf27e7a@sentex.net> --k4X6w4mmIDro9uY1VhRHmnKlG8wa7KgIt Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 4/23/21 13:53, mike tancsa wrote: > Starting to play around with RELENG_13 and wanted explore ZFS' built in= > encryption.=C2=A0 Is there a best practices doc on how to do full disk > encryption anywhere thats not GELI based=C2=A0 ?=C2=A0 There are lots f= or=20 > GELI, > but nothing I could find for native OpenZFS encryption on FreeBSD >=20 > i.e box gets rebooted, enter in passphrase to allow it to boot kind of > thing from the boot loader prompt ? I think loader do not support the native OpenZFS encryption yet. However, you can encrypt non-essential datasets on a boot pool (that is, if com.datto:encryption is "active" AND the bootfs dataset is not encrypted, you can still boot from it). BTW instead of entering passphrase at loader prompt, if / is not encrypted, it's also possible to do something like https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.h= tml =2E Personally I'd probably go with GELI (or other kind of full disk encryption) regardless if OpenZFS's native encryption is used because my primary goal is to be able to just throw away bad disks when they are removed from production [1]. If the pool is not fully encrypted, there is always a chance that the sensitive data have landed some unencrypted datasets and never gets fully overwritten. [1] Also keep in mind: https://xkcd.com/538/ Cheers, --k4X6w4mmIDro9uY1VhRHmnKlG8wa7KgIt-- --2CAFCr225FtC3cHmpphDMMLsMOXDh7oYe Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEceNg5NEMZIki80nQQHl/fJX0g08FAmCDOtsFAwAAAAAACgkQQHl/fJX0g0/U FxAAnHEVMLwMoX/PgbgDsClR4cng+XCRiD7G9cP2rfEWKglGN0rb34S38N4g7yxbLlsKupCmlTgC tqupWPRkfsf7YVGLghNN4Gpt6ZuK/SgiQ4b0VGvLVYqGyyOceKvLIz+AEg/bMLRoTYWkTFLe+HuX 5c3oS5UVDLsVaym7WLY0xvk2F9fs5MABEiMs2eZhf5hVDPouQhtKXJq6eVBF3D5x08YRq0B0gRoi xV6nHTmKT1owLMrDSTdmIvo+GtcXDgmt3ZcZ09zpDB5GBCOIHbNwJx1OWZnLnjYvx5TVC6b/2gqk 1F0u87pRee+VUTfMkA2UdeLAvnLIgac/sZBV7iqRfOdWfm5Uj23N6WafpUGOh/Czt/Ysrt0n7xiY YpFZQ6mPxve4TKq/fLcV4lsosBTnIG5h9wOCfYQf5BLMPRyNSHy46whaLaOlu6TkwyMNOmNtYIV+ /d0eVVRstcw6RgVst9j47FOLZ6aYQNlhLakxDzdqHgxRqLhUbJ//XyUA2eMvjLYhgDZ/1zLh4tQV zLdztuymqidvsVlY8LznI/xl+9rSM0/8KG9wICiiNtZzPqVJlAYFJCJlSj4wm6nZLaUxWoRRuhYM cDQP99nuCc4FLebu0jERMC3Ehh4SP+8e9Yli84aM2GdZlWMGk9zdYyrSMfWCyszNR/ArtjwixA93 CBk= =tzWF -----END PGP SIGNATURE----- --2CAFCr225FtC3cHmpphDMMLsMOXDh7oYe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56a4a35f-b4d7-661a-f59b-8cd399784e6e>