ZFS ZFS encryption on some datasets only?


Active Member

Messages: 109

I am about to initialise a new server host. This host contains four x 8Tb WD NAS drives. The first FreeBSD system that I setup was created with raidz2 encrypted with root on zfs. This requires manual intervention when restarting. Is there a way to install FreeBSD on zfs such that one can create encrypted datasets as required?

Specifically, I want to know if BHyve vm datasets can be individually encrypted at the time of vm create or later.


Aspiring Daemon

Reaction score: 224
Messages: 606

I guess at the moment, the answer is "no". Except of course if you use separate ZFS pools individually encrypted by GELI. AFAIK, encrypting individual volumes would be possible with native ZFS encryption, but this isn't supported yet.



Reaction score: 521
Messages: 1,399

At the moment the closest you could get to this is to create zvols for the guest disks, then run GELI on those, then provide the .eli device to bhyve.

There is currently a shift in progress to move FreeBSD to ZFSonLinux, which as far as I’m aware would come with native encryption (I’m not 100% that it’s actually in an official ZoL release yet but it’s definitely in progress). There are already packages available to test the new ZoL module on FreeBSD, although I wouldn’t use it for anything production.