ZFS zfs encryption - where to store the key?

[weberjn]

Want to set up an Elitedesk with a big 3,5" disk as backup server. Want to use ZFS with native encryption. Server will be mostly off and switched on for backups.
How do I enter the encryption key?
- sitting on the unencrypted part of the system is pointless
- sshing in and typing in the key is laborious

So I thought of keeping the key on my main laptop or mobile and putting a script behind a button, that does the ssh in and load-key part. Of course this only shifts the problem of keeping keys safe to the mobile, but it contains lots of secrets, anyway.

Opinions?

The called script must store the key temporarily on the unencrypted part of the file system, as load-key -L loads from a file. There is no /dev/shmem, is it?

 

[piercedwater]

A few ideas that came to mind:
-partition your music player's micro sdcard with UFS to store your keys on
-could do the same with your cell phone's micro sdcard
-usb thumb drive
-what about an optical disc?

 

[Kai Burghardt]

Want to use ZFS with native encryption. Server will be mostly off and switched on for backups.

The whole point of ZFS encryption is that keystatus can be unavailable and you can still do (a subset of) management operations, in particular receive (encrypted) data sets. A backup server does not need to encrypt any data. The data have already been encrypted somewhere else. (Or do you adopt a, say, rsync(1)-backed approach for backing up data?)​

 

[ralphbsz]

Why are you encrypting? Presumable to protect against someone reading your data. Who is that someone? What do you think they'll do to get to your data?

Having figure out the answer to the above, we can ask the next question: Is there a place that the attacker will not have access to?

And the final question: What is the tradeoff between convenience and security? How much is your data not being read worth to you? How much do you think your data is worth to potential attackers? How hard are they going to work to get to the encryption key? As an example: If your data is extremely valuable (for example it endangers the survival of a nation state), you can expect that the attackers will visit in person, with a large group of well-armed people, and they will perform a rubber hose attack: Hit you with rubber hoses until you "voluntarily" tell them the encryption key. If your data is this valuable, questions such as "SD card versus USB stick" become a lot less relevant, and the questions you need to ask is "what caliber machine gun to mount on the roof of my server room".

In practice: I would go with something like a USB stick or nearby cell phone or security key. I've heard that "Yubi keys" and their competitors can be effectively used for this, but I have never set one up myself (it's on the to-do list).