On 4/23/21 13:53, mike tancsa wrote:> Starting to play around with RELENG_13 and wanted explore ZFS' built in > encryption.? Is there a best practices doc on how to do full disk > encryption anywhere thats not GELI based? ?? There are lots for > GELI, > but nothing I could find for native OpenZFS encryption on FreeBSD > > i.e box gets rebooted, enter in passphrase to allow it to boot kind of > thing from the boot loader prompt ?I think loader do not support the native OpenZFS encryption yet. However, you can encrypt non-essential datasets on a boot pool (that is, if com.datto:encryption is "active" AND the bootfs dataset is not encrypted, you can still boot from it). BTW instead of entering passphrase at loader prompt, if / is not encrypted, it's also possible to do something like https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html . Personally I'd probably go with GELI (or other kind of full disk encryption) regardless if OpenZFS's native encryption is used because my primary goal is to be able to just throw away bad disks when they are removed from production [1]. If the pool is not fully encrypted, there is always a chance that the sensitive data have landed some unencrypted datasets and never gets fully overwritten. [1] Also keep in mind: https://xkcd.com/538/ Cheers, -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210423/fa8892b3/attachment.sig>
> 23 apr. 2021 kl. 23:23 skrev Xin Li via freebsd-stable <freebsd-stable at freebsd.org>: > > On 4/23/21 13:53, mike tancsa wrote: >> Starting to play around with RELENG_13 and wanted explore ZFS' built in >> encryption. Is there a best practices doc on how to do full disk >> encryption anywhere thats not GELI based ? There are lots for >> GELI, >> but nothing I could find for native OpenZFS encryption on FreeBSD >> >> i.e box gets rebooted, enter in passphrase to allow it to boot kind of >> thing from the boot loader prompt ? > > I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that is, > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it). > > BTW instead of entering passphrase at loader prompt, if / is not > encrypted, it's also possible to do something like > https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html > . > > Personally I'd probably go with GELI (or other kind of full disk > encryption) regardless if OpenZFS's native encryption is used because my > primary goal is to be able to just throw away bad disks when they are > removed from production [1]. If the pool is not fully encrypted, there > is always a chance that the sensitive data have landed some unencrypted > datasets and never gets fully overwritten. > > [1] Also keep in mind: https://xkcd.com/538/ > > Cheers, >Yes, I?ve come to the same conclusion. This should be used on a data-zpool and not on the system-pool (zroot). Encryption is per dataset. Also if found that if the encrypted dataset is not mounted of some reason you will be writing to the parent unencrypted dataset.. At least it works for encrypted thumb_drive, i just posted this quick guide https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/ <https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/> /Peter
On 4/23/21 11:23 PM, Xin Li via freebsd-stable wrote:> I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that is, > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it).This is what my tests showed too (on 12.2 with OpenZFS from ports). This is in contrast to what is written here: https://openzfs.github.io/openzfs-docs/Getting%20Started/FreeBSD.html Can we get that page corrected? bye & Thanks av.
On 4/23/2021 5:23 PM, Xin Li wrote:> On 4/23/21 13:53, mike tancsa wrote: >> Starting to play around with RELENG_13 and wanted explore ZFS' built in >> encryption.? Is there a best practices doc on how to do full disk >> encryption anywhere thats not GELI based? ?? There are lots for >> GELI, >> but nothing I could find for native OpenZFS encryption on FreeBSD >> >> i.e box gets rebooted, enter in passphrase to allow it to boot kind of >> thing from the boot loader prompt ? > I think loader do not support the native OpenZFS encryption yet. > However, you can encrypt non-essential datasets on a boot pool (that is, > if com.datto:encryption is "active" AND the bootfs dataset is not > encrypted, you can still boot from it). > > BTW instead of entering passphrase at loader prompt, if / is not > encrypted, it's also possible to do something like > https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html > . > > Personally I'd probably go with GELI (or other kind of full disk > encryption) regardless if OpenZFS's native encryption is used because my > primary goal is to be able to just throw away bad disks when they are > removed from production [1]. If the pool is not fully encrypted, there > is always a chance that the sensitive data have landed some unencrypted > datasets and never gets fully overwritten. > > [1] Also keep in mind: https://xkcd.com/538/Thanks for the perspective and links.? I have a couple of use case scenarios.? One, for devices in somewhat physically untrusted environments.? Someone breaks into the store, and steals the PC.? I can see the advantages of GELI to this environment.? The other is the ability for customers to send me encrypted datasets for offsite backup.? If its encrypted, I have less exposure if the dataset is encrypted and I cant see the contents.?? Same for making backups to disks to put in cold storage although yes, I can see GELI having an an advantage again for full disk encryption.? ??? ---Mike