onlineforums
Explorer
- Joined
- Oct 1, 2017
- Messages
- 56
I realize in release TrueNAS 12 there will be ZFS dataset encryption ability. For now, though, I'm wildly confused as to the history and reasoning as to why, as the latest FreeNAS 11.3 there isn't passphrase combination with key for GELI whole pool (volume) encryption?
In the recent past (within the last few years release) when encrypting a volume it would ask for a passphrase to use. When the FreeNAS box would start, the pool would be locked and encrypted until someone went into the webUI and put in the passphrase.
I'm doing some testing right now on 11.3 and there is no ability to put in a passphrase. You simply get to download a key which is stored on disk anyway so if someone got physical access to the FreeNAS box itself then the data isn't encrypted. It seems like the only purpose this serves currently is if an intruder only has access to the hard drive(s) and not the FreeNAS box itself.
I greatly look forward to TrueNAS 12 with dataset encryption but still would love to know the history, reasoning, logic, etc as to why passphrase aspect of the GELI encryption process was removed. Were there major bugs associated? Were too many people not understanding the process to rekey/repassphrase during resilvering in a bad HDD situation?
It seems like the reward is no longer there for whole pool encryption using only GELI key. If the only thing I am protecting by doing a whole pool GELI encryption is the physical hard disks being stolen themselves then I can resolve that with proper physical security measurements. I also will properly destroy a hard disk, irrespective if it was encrypted, if a disk fails. So is there absolutely no benefit to whole volume encryption if physical security isn't a concern?
In the recent past (within the last few years release) when encrypting a volume it would ask for a passphrase to use. When the FreeNAS box would start, the pool would be locked and encrypted until someone went into the webUI and put in the passphrase.
I'm doing some testing right now on 11.3 and there is no ability to put in a passphrase. You simply get to download a key which is stored on disk anyway so if someone got physical access to the FreeNAS box itself then the data isn't encrypted. It seems like the only purpose this serves currently is if an intruder only has access to the hard drive(s) and not the FreeNAS box itself.
I greatly look forward to TrueNAS 12 with dataset encryption but still would love to know the history, reasoning, logic, etc as to why passphrase aspect of the GELI encryption process was removed. Were there major bugs associated? Were too many people not understanding the process to rekey/repassphrase during resilvering in a bad HDD situation?
It seems like the reward is no longer there for whole pool encryption using only GELI key. If the only thing I am protecting by doing a whole pool GELI encryption is the physical hard disks being stolen themselves then I can resolve that with proper physical security measurements. I also will properly destroy a hard disk, irrespective if it was encrypted, if a disk fails. So is there absolutely no benefit to whole volume encryption if physical security isn't a concern?