About FreeNAS and virtualization + ZFS

[ovizii]

This is going to be a bit of a longer story so please bear with me.

At work, I am in need to setup a server at an ISP which I need to certify according to ISO 27001 so one of my problems is that when one of the HDs fails it will get replaced by the ISP and I was looking to use encryption to make sure that removed HD cannot be used/read/data-mined.

I looked at hyper-v as a hypervisor which has the benefit of having bitlocker built-in but after several days of testing I found that its linux support is spotty.

I then went on to test VMWare as it offers VM encryption, not full disk encryption though, but this would be good enough. After tinkering around I found out one needs a separate KMS server/manager to use this.

Last on my list was proxmox which supports luks and zfs but not native zfs encryption and is apparently a pita to setup.


So I thought about FreeNAS seeing that it offers ZFS + encryption at least version 9.10 which I currently use but I have never looked at virtualization.

So provided the hardware is compatible with FreeNAS could I setup a FreeNAS system with an encrypted ZFS pool and utilize all of its features + virtualize a few linux based VMs?

 

[danb35]

proxmox which supports luks and zfs but not native zfs encryption

There is no "native ZFS encryption" in any open-source product, as OpenZFS doesn't incorporate this (yet). FreeNAS uses FreeBSD's GELI encryption system to encrypt the whole disk.

So provided the hardware is compatible with FreeNAS could I setup a FreeNAS system with an encrypted ZFS pool and utilize all of its features + virtualize a few linux based VMs?

You should be able to do this using FreeNAS 11; it incorporates bhyve VMs through the GUI.

 

[ovizii]

There is no "native ZFS encryption" in any open-source product, as OpenZFS doesn't incorporate this (yet). FreeNAS uses FreeBSD's GELI encryption system to encrypt the whole disk.

You should be able to do this using FreeNAS 11; it incorporates bhyve VMs through the GUI.

Thanks for clarifying. GELI is fine with me, it has always worked for me. So I guess now I need to read up on bhyve's features to see if it does what I need, right?

 

[danb35]

So I guess now I need to read up on bhyve's features to see if it does what I need, right?

Sounds like it.

 

[Arwen]

Please note that native OpenZFS encryption is coming, perhaps by the end of the year. Of course, it will take more time for that feature to appear in FreeBSD. Then even more time for it to appear in FreeNAS. But, hey, it's coming. Here is a link;

http://open-zfs.org/wiki/ZFS-Native_Encryption

 

[ovizii]

Does anyone here have experience wit hthe bhyve/iohyve implementation in FreeNAS 11? Is it a feature complete solution for a hypervisor or not yet?

The reason I am asking as I thought of a workaround, I could use 2 servers: one running FreeNAS and encrypting its HDs the other one running a hypervisor using the storage provided by the first one for its VMs.