ZFS ZFS native encryption

will freebsd12 support ZFS native encryption
No.

 
No.

if so, it means that the linux layer will be more powerful, but i did not see much improvment of linux compatible layer.
some java program runs not well on freebsd, will we go back to centos to use zfs😝
 
No.

What do you mean ? ZoL supports native encryption https://github.com/zfsonlinux/zfs/pull/5769/commits/5aef9bedc801830264428c64cd2242d1b786fd49
For example, mmacy grabbed encryption commits from ZoL and imported them to FreeBSD. It worked, so, no doubts, we'll get native encryption after transition to ZoL/F.
 
It worked, so, no doubts, we'll get native encryption after transition to ZoL/F.
The transition to ZoL will add it but it's going to be 13.0 at the earliest and perhaps even later.
 
There is a ZFS native encryption implementation already done since a while (from iXsystems IIRC) and was initially targered to 12R, but the last time I saw that was not quite ready to merge and they are also trying to fix a particular security issue that exists when the encryption is used with deduplication, and that is present in all ZFS native encryption implementations.

See HERE.
 
I already had a nightmare about backuping and transfering files from geli encryption disks to zfs native encryption disks.
What about geli? Will it continue to be a valid alternative, won't it?
 
FreeBSD 12-STABLE after AES-CCM support was added, not FreeBSD 12.0-RELEASE. Small, but important, difference/clarification. :)

From the Makefile commit logs:
when will 12-stable come?
i run 'make' in 'zol ports', but tell me need 'AES-MSS', should i continue with 'zol-kmod'?
 
What about geli? Will it continue to be a valid alternative, won't it?

As far as I'm aware, GELI is still the primary method of encrypting block devices in FreeBSD so I don't see it going anywhere. ZFS encryption isn't much use if you want an encrypted UFS disk.
 
just as an info for you: I did a performance test on a current Ubuntu Linux with ZFS 0.8.3. I used fio to compare native ZFS, encrypted ZFS and LUKS-encrypted partition as a backing device for unencrypted ZFS - all on a notebook with ssd. LUKS-encrypted (equivalent to what we in FreeBSD land have with geli) was 2-6 times faster than encrypted zfs... most of the times 4x - I did not expect the difference to be that huge.
 
just as an info for you: I did a performance test on a current Ubuntu Linux with ZFS 0.8.3. I used fio to compare native ZFS, encrypted ZFS and LUKS-encrypted partition as a backing device for unencrypted ZFS - all on a notebook with ssd. LUKS-encrypted (equivalent to what we in FreeBSD land have with geli) was 2-6 times faster than encrypted zfs... most of the times 4x - I did not expect the difference to be that huge.

So what you're saying is that encrypted ZFS is slow AF ?
 
yes. So unless you have a special need for encrypted zfs I highly recommend geli (FreeBSD) or luks (Linux).

Thank you for the quick response. I'm using geli now but I would like to have it native so I'm not tied to a specific OS. 🤔 My use-case is a NAS so all I really need is to be able to stream videos on my LAN.Should still be OK for this, no ?
 
yes, that should work. I think it even works on cpus without crypto extensions and old hardware since you don't need that much bandwidth ... IIRC 8MB per second is enough for 4k resolution videos. A quick benchmark showed that even my old Intel Pentium M 686 cpu (without AES extension) with 1800MHz and a P(!)ATA-Disk manages to get around 16MB/sec read speed ;-)

I extended my benchmark script now and at the moment I am doing some benchmarks ... different Linux/LUKS + unencrypted ZFS 0.8.4 vs Linux + encrypted ZFS 0.8.4 vs FreeBSD GELI + unencrypted ZFS vs FreeBSD + openzfs-kmod/encrypted. Currently on an ssd, but I intend to also benchmark hdds (setup of one, two or three disks)
 
Back
Top