zroot pool on geli encryption

M

mokfarg

I am installing and trying to decide if I want to install zfs on top of geli . I am trying to learn if there are any downsides other than enter in a passphrase at boot and possible more resources. I guess the complexity is increased. I would like to use boot environments too, any limitations when / is encrypted? Thanks!

I have read Absolute FreeBSD, it's a little older, references version 11. It states there is a limitation when using GELI :

"Boot environments do not work when a host requires a separate boot pool.
The installer handles boot pools for you. They appear when combining UEFI
and GELI, or when using ZFS on an MBR-partitioned disk."

During my testing though I wasn't able to reproduce any issue. There is the a separate FAT boot efi partition but that would be on a geli or non-gel install. /boot is included in / dataset. I guess I am being cautious. I am afraid to get down the road and zfs on geli prevents me from doing something or makes life hard for no reason. I really only want my file data set encrypted but thought if there wasn't any downsides to / being encrypted I would do that too.
 
It will be very hard to recover data in case of power failure or system crash like kernel panic.
Backups and UPS (uninteruptible power supply) are required for any production use of anything over geli.
 
You haven't mentioned what you're trying to do and what data you're working with. GELI would be useful for handling sensitive data (say, a state-sponsored database) or to protect cold storage attacks against a c-level executive mailing list. But you've mentioned booting during your entire OP. Figure out exactly what you're trying to do, then decide from there. If what you're doing isn't internet facing, I wouldn't add extra work involved with GELI.
 
Thanks, my thoughts were to keep my file server data safe at rest which contains PII, HIPAA. I could just encrypt the dataset that contains that data. I am just curious if there are any gotchas I should be aware of using ZFS root on top of GELI if I decide to protect OS level as well.
 
it gets a little tricky should you want to setup a ZFS root mirror installation atop GELI. Outside of that, I'm not aware of any gotchas. You've done your research.
 
mokfarg said:
Thanks, my thoughts were to keep my file server data safe at rest which contains PII, HIPAA. I could just encrypt the dataset that contains that data
Click to expand...
My opinions only as I have not found a need to encrypt anything.

Separation of data and OS is the key.
Encryption of OS I think gives more trouble than it's worth in most cases; there are some where it's appropriate.
I think I would leave the OS portions unencrypted, then encrypt the datasets holding the data.
If you are using 14.0 you may be able to use zfs native encryption on the dataset (may have been there before 14) which would remove a level of complexity.
 
Have you looked at the risk analysis for backup and recovery? Your data are also likely to be "at rest" on the backup server...
 
mer said:
If you are using 14.0 you may be able to use zfs native encryption on the dataset (may have been there before 14) which would remove a level of complexity.
Click to expand...
Has been available since 13.0 - or at least I'm using ZFS native encryption since then and I am quite happy with it. Had zero problems so far.

However... https://www.phoronix.com/news/OpenZFS-Encrypt-Corrupt

But then again: Data corruption is one way of keeping it safe(r) from others :D
 
Thanks for the additional post, I thought about native encryption however I do plan to send/receive datasets and I read there are some bugs right. I also started to think about ZFS on top of GELI. Would using GELI as the provider, using the encrypted device nodes to build the ZFS vdevs, would that make the pool less resilient? What are the negatives of this configuration? I would do this with a nas w/ a data pool mirror and a backup server that would have a raidz2 vdev.
 
mer said:
Encryption of OS I think gives more trouble than it's worth in most cases; there are some where it's appropriate.
I think I would leave the OS portions unencrypted, then encrypt the datasets holding the data.
Click to expand...
This is where I'm heading with my R&D and investigations so far.

I've made a geli-encrypted boot on a development server and it's a royal PITA to have to use the BMC to enter the passphrase (because I have the BMC behind a bastion host where I enable/disable the remote access as required.) The BMC has quirks that mean the keyboard doesn't always work as expected, so that makes things even more "exciting".

I've set up a couple of machines with "normal" boot (UFS for now) and then encrypted ZFS on other drives and so far so good. I don't yet use send/recv. But that corruption issue is rather concerning, so maybe I won't use send/recv!

Much nicer for the OS to boot up and start SSH - then an easier remote connection to go to and enter pass phrases to access the encrypted ZFS datasets.

Depending on your requirements you may also want to ensure configuration and log files are on encrypted datasets too.
 
  • Like
Reactions: mer
You must log in or register to reply here.
Back
Top