> 23 apr. 2021 kl. 23:23 skrev Xin Li via freebsd-stable <freebsd-stable
at freebsd.org>:
>
> On 4/23/21 13:53, mike tancsa wrote:
>> Starting to play around with RELENG_13 and wanted explore ZFS'
built in
>> encryption. Is there a best practices doc on how to do full disk
>> encryption anywhere thats not GELI based ? There are lots for
>> GELI,
>> but nothing I could find for native OpenZFS encryption on FreeBSD
>>
>> i.e box gets rebooted, enter in passphrase to allow it to boot kind of
>> thing from the boot loader prompt ?
>
> I think loader do not support the native OpenZFS encryption yet.
> However, you can encrypt non-essential datasets on a boot pool (that is,
> if com.datto:encryption is "active" AND the bootfs dataset is not
> encrypted, you can still boot from it).
>
> BTW instead of entering passphrase at loader prompt, if / is not
> encrypted, it's also possible to do something like
>
https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.html
> .
>
> Personally I'd probably go with GELI (or other kind of full disk
> encryption) regardless if OpenZFS's native encryption is used because
my
> primary goal is to be able to just throw away bad disks when they are
> removed from production [1]. If the pool is not fully encrypted, there
> is always a chance that the sensitive data have landed some unencrypted
> datasets and never gets fully overwritten.
>
> [1] Also keep in mind: https://xkcd.com/538/
>
> Cheers,
>
Yes, I?ve come to the same conclusion. This should be used on a data-zpool and
not on the system-pool (zroot). Encryption is per dataset. Also if found that if
the encrypted dataset is not mounted of some reason you will be writing to the
parent unencrypted dataset.. At least it works for encrypted thumb_drive, i just
posted this quick guide
https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/
<https://forums.freebsd.org/threads/freebsd-13-openzfs-encrypted-thumb-drive.80008/>
/Peter