ZFS ZFS native encryption

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,357
Messages: 38,883

will freebsd12 support ZFS native encryption
No.

 
OP
Q

quanquan

Member


Messages: 21

No.

if so, it means that the linux layer will be more powerful, but i did not see much improvment of linux compatible layer.
some java program runs not well on freebsd, will we go back to centos to use zfs😝
 

abishai

Aspiring Daemon

Reaction score: 185
Messages: 767

No.

What do you mean ? ZoL supports native encryption https://github.com/zfsonlinux/zfs/pull/5769/commits/5aef9bedc801830264428c64cd2242d1b786fd49
For example, mmacy grabbed encryption commits from ZoL and imported them to FreeBSD. It worked, so, no doubts, we'll get native encryption after transition to ZoL/F.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,357
Messages: 38,883

It worked, so, no doubts, we'll get native encryption after transition to ZoL/F.
The transition to ZoL will add it but it's going to be 13.0 at the earliest and perhaps even later.
 

rigoletto@

Daemon
Developer

Reaction score: 1,252
Messages: 2,293

There is a ZFS native encryption implementation already done since a while (from iXsystems IIRC) and was initially targered to 12R, but the last time I saw that was not quite ready to merge and they are also trying to fix a particular security issue that exists when the encryption is used with deduplication, and that is present in all ZFS native encryption implementations.

See HERE.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,289
Messages: 4,099

maurizio

Member

Reaction score: 2
Messages: 34

I already had a nightmare about backuping and transfering files from geli encryption disks to zfs native encryption disks.
What about geli? Will it continue to be a valid alternative, won't it?
 
OP
Q

quanquan

Member


Messages: 21

FreeBSD 12-STABLE after AES-CCM support was added, not FreeBSD 12.0-RELEASE. Small, but important, difference/clarification. :)

From the Makefile commit logs:
when will 12-stable come?
i run 'make' in 'zol ports', but tell me need 'AES-MSS', should i continue with 'zol-kmod'?
 

rigoletto@

Daemon
Developer

Reaction score: 1,252
Messages: 2,293

when will 12-stable come?

In short, never. :)

Stable is where the new dot releases are stabilized before becoming an actual dot release. The fact of some feature be in there doesn't automatically means it will come to the next dot release.
 

usdmatt

Daemon

Reaction score: 602
Messages: 1,543

What about geli? Will it continue to be a valid alternative, won't it?

As far as I'm aware, GELI is still the primary method of encrypting block devices in FreeBSD so I don't see it going anywhere. ZFS encryption isn't much use if you want an encrypted UFS disk.
 

rootbert

Well-Known Member

Reaction score: 160
Messages: 416

just as an info for you: I did a performance test on a current Ubuntu Linux with ZFS 0.8.3. I used fio to compare native ZFS, encrypted ZFS and LUKS-encrypted partition as a backing device for unencrypted ZFS - all on a notebook with ssd. LUKS-encrypted (equivalent to what we in FreeBSD land have with geli) was 2-6 times faster than encrypted zfs... most of the times 4x - I did not expect the difference to be that huge.
 

eydaimon

Active Member

Reaction score: 4
Messages: 116

just as an info for you: I did a performance test on a current Ubuntu Linux with ZFS 0.8.3. I used fio to compare native ZFS, encrypted ZFS and LUKS-encrypted partition as a backing device for unencrypted ZFS - all on a notebook with ssd. LUKS-encrypted (equivalent to what we in FreeBSD land have with geli) was 2-6 times faster than encrypted zfs... most of the times 4x - I did not expect the difference to be that huge.

So what you're saying is that encrypted ZFS is slow AF ?
 

eydaimon

Active Member

Reaction score: 4
Messages: 116

yes. So unless you have a special need for encrypted zfs I highly recommend geli (FreeBSD) or luks (Linux).

Thank you for the quick response. I'm using geli now but I would like to have it native so I'm not tied to a specific OS. 🤔 My use-case is a NAS so all I really need is to be able to stream videos on my LAN.Should still be OK for this, no ?
 

rootbert

Well-Known Member

Reaction score: 160
Messages: 416

yes, that should work. I think it even works on cpus without crypto extensions and old hardware since you don't need that much bandwidth ... IIRC 8MB per second is enough for 4k resolution videos. A quick benchmark showed that even my old Intel Pentium M 686 cpu (without AES extension) with 1800MHz and a P(!)ATA-Disk manages to get around 16MB/sec read speed ;-)

I extended my benchmark script now and at the moment I am doing some benchmarks ... different Linux/LUKS + unencrypted ZFS 0.8.4 vs Linux + encrypted ZFS 0.8.4 vs FreeBSD GELI + unencrypted ZFS vs FreeBSD + openzfs-kmod/encrypted. Currently on an ssd, but I intend to also benchmark hdds (setup of one, two or three disks)
 
Top