ZFS native encryption support

lockdoc · Feb 23, 2012

Is there any work done to port the zfs native encryption to FreeBSD?

The only information I could find so far
http://2007.asiabsdcon.org/papers/P16-slides.pdf

per-filesystem encryption
â€¢ soon

http://2007.asiabsdcon.org/papers/P16-paper.pdf

Data encryption is a work in progress [Moffat2006]

Both seem a bit old, anywhere where I could find more information?

gkontos · Feb 23, 2012

That would require ZFS v30. As far as I am aware Oracle has not released the code under CDDL.

phoenix · Feb 24, 2012

ZFSv28 is the latest opensource version of ZFS.

ZFSv30 or ZFSv31 include encryption support, and are only available in Solaris 11. None of the ZFS bits have been opensourced. Thus, there's nothing "to port".

lockdoc · Feb 24, 2012

So if there is no new open source release, what will happen to zfs on ~~freebsd~~ FreeBSD?

And in terms about the encryption they could work together with the guys/girls from Illumos? As far as I can see, they have it up on a todo list: https://www.illumos.org/projects/zfs-crypto

throAU · Feb 24, 2012

As I undestand it, ZFS is forked?

Pretty sure the OpenIndiana/Illumos guys are working on ZFS independently of Oracle now? As above, I suspect any improvements made by either Illumos or FreeBSD will be shared between them.

Sfynx · Feb 24, 2012

What will this do with on-disk format compatibility? I always loved the fact that I could always import any pool version into any operating system as long as the supported pool version was equal or higher, even across little-/big-endian systems.

I guess this could still be possible with our own implementation if Oracle at least documents the on-disk format properly, else it'd be a reverse-engineering job which I'd not feel confortable with for enterprise storage purposes :/

lockdoc · Feb 24, 2012

Or it won't be a reverse engineering and there will be two different versions for zfs from now. Would be a pity.

fluca1978 · Feb 24, 2012

I don't like the Oracle way of doing, and it did not surprise me that after having kicked off OpenSolaris also ZFS is going to become close sourced.

phoenix · Feb 24, 2012

Search the forums. This topic (future of ZFS) has come up many times already, and all the details regarding the ZFS Working Group have been listed in there.

overmind · Feb 29, 2012

You could always use ZFS + Geli.

lockdoc · Mar 2, 2012

overmind said:
You could always use ZFS + Geli.

I am using it, but once the pool grows with lots of HDDs it becomes pretty slow. Geli is working under zfs and there are too many extra operations needed. The ZFS encryption method is directly in the i/o chain (compression->encryption->checksum->deduplication) implemented, which I suspect to be much faster.

elfsechsundzwanzig · Mar 2, 2012

lockdoc said:
I am using it, but once the pool grows with lots of hdd's it becomes pretty slow.
Geli is working under zfs and there are too many extra operations needed.
The ZFS encryption method is directly in the i/o chain (compression->encryption->checksum->deduplication) implemented, which i suspect to be much faster.

That might be true, but unless Oracle changes its mind (which, I guess, is highly unlikely), it seems like the only option.

lockdoc · Mar 2, 2012

If I am not mistaken there are a couple of others also affected by this among FreeBSD such as OpenSolaris, OpenIndiana and Illumos. So this might be the chance for those 4 to group up on ZFS development

elfsechsundzwanzig · Mar 2, 2012

Yes, that's possible. Instead of hoping that Oracle will open the sources of ZFSv30, one can gather some able people and try to implement zfs-native encryption support using the codebase of the v28..

I would really appreciate it

gkontos · Mar 2, 2012

lockdoc said:
If I am not mistaken there are a couple of others also affected by this among FreeBSD such as OpenSolaris, OpenIndiana and Illumos. So this might be the chance for those 4 to group up on ZFS development

OpenSolaris is RIP thanks to Oracle. OpenIndiana is based on Illumos an OpenSolaris fork and FreeBSD gets its ZFS code from Illumos.

The only open source full production OS that supports ZFS is FreeBSD.

elfsechsundzwanzig · Mar 2, 2012

And wouldn't it be great to have a FreeBSD with ZFS with native encryption support?

Zare · Mar 2, 2012

I'm still looking for an in-depth benchmark/analysis of ZFS atop GELI devices. I don't have enough practical experience with ZFS to do that myself.

phoenix · Mar 2, 2012

lockdoc said:
If I am not mistaken there are a couple of others also affected by this among FreeBSD such as OpenSolaris, OpenIndiana and Illumos. So this might be the chance for those 4 to group up on ZFS development

Search the forums for "ZFS Working Group". This is already happening.

phoenix · Mar 2, 2012

gkontos said:
OpenSolaris is RIP thanks to Oracle. OpenIndiana is based on Illumos an OpenSolaris fork and FreeBSD gets its ZFS code from Illumos.

The only open source full production OS that supports ZFS is FreeBSD.

And Nexenta. And several Linux distros via ZFS-on-Linux. And several others. ZFS is out there, and many OSes/projects/groups/people are using it.

gkontos · Mar 2, 2012

phoenix said:
And Nexenta. And several Linux distros via ZFS-on-Linux. And several others. ZFS is out there, and many OSes/projects/groups/people are using it.

I did mention the word "production OS"

phoenix · Mar 2, 2012

How is NexentaCore not a production OS?

How is a Linux distro not a production OS?

gkontos · Mar 2, 2012

phoenix said:
How is NexentaCore not a production OS?

I was under the impression that it has been replaced by NexentaStor which is not a open source OS

phoenix said:
How is a Linux distro not a production OS?

Not when it comes to native ZFS support. Meaning that there have been enough installations followed by testing backed by a team that can handle bug fixes and development, giving the green light for production usage.

I don't like to play with words and I am a big ZFS advocate. But I believe that the only open source OS which can fully support ZFS for production today is FreeBSD.

I also have nothing against Linux when it comes to ZFS integration and sincerely express my support to the ZFS Working Group

fgordon · Mar 31, 2012

I'm using Geli (AES 128) + ZFS (~~freebsd~~ FreeBSD 8) with raid-z2 and 12 x 2 TByte SATA (SII 3114 PCI) CPU AMD X2 3800 with 3 Gbyte RAM so a rather "low end" server now

I get between 30 to 35 Mbyte / sec over SMB export if I copy large amounts of data - as I'm away from my server I cannot benchmark at the moment.

All in all I think GELI+ZFS already offers quite a nice performance.

Because of the time consuming crypt operation (at least for Non AES NI) I'm sure the difference between geil + zfs and native crypto zfs is minimal - ZFS native crypt is optimizing the 1% CPU usage, while 99% percent of the CPU time is still consumed by (de)crypting algos.

none · Apr 16, 2012

I also have performance problems using Geli on ZFS. I run an Atom from Soekris (1.6GHz and 2GB RAM), and my test case uses 4 160GB SATA disks. I get around 2~3MB/s. AES 128 bits.

I was hoping for something more fast, as this same box can serve up to 10MB/s without Geli.

If there is any option here, I'd really like to know

Thanks,

none

throAU · Apr 17, 2012

If you want encryption performance, surely you want a CPU with AES encrypton in hardware. I don't think an atom is ever likely to give you this, it's simply not the right hardware for the job.