Encryption - Possible pitfalls?

[Cupcake]

Hi guys
I'm still not using my freenas in a productive way as I'm not 100% sure how to set it up. Especially the encryption. As a paranoid crypto freak, I'm all in favour of total drive encryption. I'm wondering now if there are any downsides besides a performance drop (I can handle that). Or asked differently: Is an encrypted pool more likely to fail completely than a non-encpryted pool? (In case of broken drives, sudden powerloss, defective RAM, aged SATA cables etc.)

So far I've come up with the following list of Pros and Cons:

Pro (for the sake of completeness):

• Data still secure when drives are failing and removed/thrown away
• Data still secure when drives are stolen

Contra:

• Decreased performance
• It's possible to lose the keys and therefore lose access to the otherwise intact pool
• It's easier to mess the pool up via gui when it's encrypted
• Possibly useless if only one (windows-)user does not have a desktop password and znas volumes are (CIFS-)mounted automatically.

Bottom line is, I've searched around the forums for people having trouble with the encryption and in every case I've seen the users were inpatient or careless when they tried to "fix" an encrypted pool or upgrade from Z1 to Z2 and Z2 to Z3 respectively. By running wrong commands or clicking wrong stuff in the GUIthey then lost the encrypted pool completely. I'm wondering if there are also more technical risks when using encryption compared to no encryption. Data recovery for example in case of damaged ZFS pools is a pain even when no encryption has been used, so that's not an argument right?

Please feel free to add your items to the list above, no matter what their origin is.

 

[cyberjock]

There is no true answer to your question. But, mathematically anytime you make a "system" more complex, there is increased risk of failure. This is a fundamental truth in science.

Now the real question is "Is there real increased chances of failure?"

We have had people do things that have really caused them to lose their pool due to software bugs. But, as you listed, " broken drives, sudden powerloss, defective RAM, aged SATA cables" none of those affect encryption vs non-encryption reliability.

And there have been known bugs in FreeNAS where it should have performed a particular way, and instead worked in a non-expected way due to bugs. We have had people lose data over it. We had one yesterday where someone tried to add disks to an encrypted pool that was locked. The GUI should have prevented it, but didn't. The end result: the pool was lost. This exact bug has bitten 2 people just since Jan 1, but had never been a problem for the last 13 months that encrypted pools have existed.

So just like I explained yesterday to someone, there may be unknown bugs with encrypted pools. It adds complexity, and there is a non-zero chance that there are still unknown bugs. You cannot properly protect yourself from lost encrypted pools because you cannot backup the potentially most important data of all, the master key. And there currently is no way to backup the master key from the GUI.

Currently, I don't recommend to my friends that they use encryption unless they have a robust backup system in place in the event that you encounter a bug. The encryption system has pretty much been refined in a path of blood and tears. So proceed at your own risk.

 

[Cupcake]

Hmm I See... if you dont recomment it to friends of yours i'll think twice about it. Maybe when I build another NAS in 2 years or so the Situation has changed, we will See...
I guess right now its more a Feature to be tested on a non-critical Server. since I "only" have One Server now I should probably go with no geli + truecrypt

thanks for your input

 

[cyberjock]

I use encryption, but I am also a more advanced user. I can either figure it out for myself or ask someone else for help. Being that if you had a problem you'd immediately have to ask a forum, probably not a very safe bet. I don't recommend it to friends because:

1. I try to build systems that won't require my constant care.
2. More stuff they can do wrong and break it in a way I can't recover from.
3. There's no guarantee I'll be able to support it in the future since I'm trying to move 1500 miles.

If my friend and I lived in a duplex next to each other and he wanted encryption I'd probably consider it since I'd expect him to always have me doing the dirty work. But, many people don't want to have friends rely on him/her like that.