ZoL - Native ZFS encryption is not so comprehensive as GELI

T-Daemon

Daemon

Reaction score: 883
Messages: 1,762

From freebsd-hackers@:

Code:
Eugene Grosbein eugen at grosbein.net
Sun Sep 13 01:38:21 UTC 2020

....
Recently I've learned from one of ZoL maintainers that native
ZFS encryption is not so comprehensive as GELI.

I've been told that native ZFS encryption was initially designed for one specific task:
being able to receive encrypted customer data (backups), verify its integrity without decryption,
store and then receive incremental backups later. Therefore, not all data is hidden with encryption,
for example, dataset names and some other metadata are not.

Background on Eugene Grosbein:
 

forquare

Well-Known Member

Reaction score: 180
Messages: 331

Is this not a question of requirements? A bank vault is more comprehensive than your wallet, but I bet you keep (or have kept) amounts of money in your wallet - I remember walking a few thousand pounds in my wallet between two banks a number of years ago because transferring it electronically would have taken several days.

If you don't require dataset names or some other metadata to be encrypted, having encrypted ZFS happens to give a convenient way to
receive encrypted customer data (backups), verify its integrity without decryption, store and then receive incremental backups later.
Which I don't believe GELI does allow you to do?
 

usdmatt

Daemon

Reaction score: 602
Messages: 1,543

ZFS encryption works very well and serves exactly the purpose it was supposed to. Note that it was developed by a commercial business who wanted to be able to encrypt customers' on-premises data, but also use block level send to backup that data in the cloud.

ZFS metadata is not encrypted, which includes things like record checksums, compression type, etc (and obviously basic pool layout). However all file metadata is basically just data as far as ZFS is concerned, so directory paths, filenames, permissions, etc are encrypted.

This provides many benefits for people using ZFS for user data, storage can be encrypted but still allow administrators to back it up, replace failed drives, do scrubs, etc.

I have no problem with GELI of course, it's a brilliant generic block-device encryption tool. So if your browser history or a few personal files are of such national importance that you worry about state sponsored hackers managing to glean a bit of information from ZFS metadata, use GELI, or take the tin foil hat off.
 
Top