ZFS native encryption

JayG30 · Aug 16, 2017

Hello,

Today I saw that the work being done by Tom Caputi over at Datto was merged into ZoL. Very exciting to see. Curious if there is any ongoing effort on the BSD side?

Thanks.

::references::
https://github.com/zfsonlinux/zfs/pull/5769
https://www.youtube.com/watch?v=frnLiXclAMo
https://www.ixsystems.com/blog/openzfs-devsummit-2016/

droeders · Aug 16, 2017

There was a small bit of discussion about this here:

https://forums.freenas.org/index.php?threads/full-disk-encryption-in-freenas-11.56984/

Not sure about the timetable @Arwen suggested in that thread - I'm just not in-the-know. However, even if FreeNAS released it tomorrow, I would likely wait at least a year before using it in production.

JayG30 · Aug 16, 2017

droeders said:
There was a small bit of discussion about this here:

https://forums.freenas.org/index.php?threads/full-disk-encryption-in-freenas-11.56984/

Not sure about the timetable @Arwen suggested in that thread - I'm just not in-the-know. However, even if FreeNAS released it tomorrow, I would likely wait at least a year before using it in production.

I hope there is work being done on the BSD side. Certainly a concern for production, but the only way you really get something to a proven production status is to get it out there and into the hands of users. The longer you push off "introducing it" even in alpha stages the slower it will take to ever get it to production grade.

Ericloewe · Aug 16, 2017

There are a few points that need to be addressed before this becomes available on FreeBSD:

Upstream wants some experience with ZFS on Linux before merging
There are still a few issues that need fixing in the upstreamed version
Once everything is in place upstream, it needs to be adapted to FreeBSD, ideally making use of FreeBSD's crypto framework

Allan Jude has looked into that last part and there are some questions to be addressed (including the fact that FreeBSD is missing one of the crypto options available in the Linux version of this work), but he has said he's going to need help.

Arwen · Aug 16, 2017

My guestimate time frame is basically the same as @droeders thought.

@Ericloewe, if I understand it correctly, Tom Caputi is developing it for illumos. So theoretically Linux would be the 2nd of the 4 core OSes of the OpenZFS project. Though perhaps he has not merged the ZFS encryption back into illumos yet. The crypto part is actually kind of interesting. It appears that work on both FreeBSD and Linux is called for, since they both have odd handling of kernel based crypto. If I remember correctly, the new replacement to SPL, (Solaris Porting Layer), module will have the crypto calls in it. Thus, taking care of both FreeBSD and Linux access.

Even if released to FreeNAS, it should be listed as a feature in test, use at your own risk. Maybe add a GUI popup that forces user to type in some thing like I know it's testing. Then keep it that way for a year. Only after it seems stable, remove the feature in test warning for FreeNAS, and port it to TrueNAS. But, hey no one listens to me :).

Ericloewe · Aug 16, 2017

Arwen said:
if I understand it correctly, Tom Caputi is developing it for illumos

No, he's doing his work on Linux. That's where it's upstreamed from. The upstreaming work is mostly parallel, lagging behind a bit.

Arwen said:
Even if released to FreeNAS, it should be listed as a feature in test, use at your own risk. Maybe add a GUI popup that forces user to type in some thing like I know it's testing. Then keep it that way for a year. Only after it seems stable, remove the feature in test warning for FreeNAS, and port it to TrueNAS. But, hey no one listens to me :).

It'll be interesting to see how well it works on Linux, now that it's been merged.

Arwen · Aug 17, 2017

Ericloewe said:
No, he's doing his work on Linux. That's where it's upstreamed from. The upstreaming work is mostly parallel, lagging behind a bit.
...

Hmm, you may make me watch Tom's video on ZFS native encryption again... Here is a link for those interested;

https://www.youtube.com/watch?v=frnLiXclAMo

Ericloewe · Aug 17, 2017

I definitely recommend it to anyone interested in ZFS. He did his homework and the presentation is excellent, despite the complicated nature of the topic.

Stux · Aug 18, 2017

Ericloewe said:
I definitely recommend it to anyone interested in ZFS. He did his homework and the presentation is excellent, despite the complicated nature of the topic.

Fantastic presentation.

Arwen · Aug 27, 2017

Those interested, I started a thread for ZFS native encryption, on Linux;

https://forums.freenas.org/index.php?threads/zfs-on-linux-native-encryption.57164/

I've actually loaded the updated ZFS software and tried the encryption.

Important Announcement for the TrueNAS Community.

ZFS native encryption

JayG30

Contributor

droeders

Contributor

JayG30

Contributor

Ericloewe

Server Wrangler

Arwen

MVP

Ericloewe

Server Wrangler

Arwen

MVP

Ericloewe

Server Wrangler

Stux

MVP

Arwen

MVP

Similar threads