Solved [Encrypted root] Native ZFS encryption vs geli

[abishai]

Hello,
I'm upgrading my laptop to FreeBSD 13.0 now and have question about my setup. I'm using encrypted everything with geli (loader detects and asks geli password at boot since 12.0). I like this scheme, but should I consider to move to ZFS native encryption in the future? I can't find information if loader supports this and some of zfs metadata will be exposed, for sure.

 

[SirDice]

As far as I know it's not yet possible to boot from a ZFS encrypted dataset. But there's work being done to make that possible.

 

[mtu]

Hello,
I'm upgrading my laptop to FreeBSD 13.0 now and have question about my setup. I'm using encrypted everything with geli (loader detects and asks geli password at boot since 12.0). I like this scheme, but should I consider to move to ZFS native encryption in the future? I can't find information if loader supports this and some of zfs metadata will be exposed, for sure.

If you're concerned about metadata leakage, geli will always be superior to ZFS native encryption. Think of your data living inside a big sealed shipping container (geli) vs. a lot of various-size small, labeled boxes (ZFS native).

 

[fbsd_]

geli is a nice tool to encrypt your home directory only. For example NomadBSD lets users to use geli encryption. I dont tried ZFS encryption before but according to SirDice its not possible already so geli seems to be best option currently.

 

[bsdcode]

It's currently not supported Thread loader-efi-cannot-boot-native-encrypted-zfs-root.79381.

 

[abishai]

Thanks, I'll stick with geli.

 

[Lamia]

And you could create encrypted zfs datasets (with openzfs for now).

 

[Cath O'Deray]

… work being done …

?

From OpenZFS: FreeBSD bootloader support for encrypted file systems …:

… to the best of my knowledge:

* there's not yet a dedicated place where discussion/work can be tracked.

…

True?