ZFS and encryption

hakim · Mar 19, 2016

Hi,

In the page Storage: ZFS, you are listing "encryption" as one of the "General Advantages of ZFS", but there is nothing about how to use it.
Could you give some example to enable this feature ?

Thanks,
Hakim

LnxBil · Mar 19, 2016

Hi Hakim,

There is no encryption in open-source ZFS, this is an enterprise-feature for original ZFS from SUN/ORACLE.

What you can do is setup encryption via cryptsetup/luks and then create your ZFS pool on the encrypted device. I use it for external backups.

Best,
LnxBil

hakim · Mar 20, 2016

Hi LnxBil,

Thanks for your answer. Any idea of the reliability of cryptsetup/luks and perhaps the overhead when using such a feature on a prod server ?

Hakim

LnxBil · Mar 20, 2016

Hi Hakim,

It is reliable, why shouldn't it? LUKS is proven to work for ages and I use it for over 10 years.

Concerning overhead: of course it is another layer of software and it will slow things down (as expected). Nevertheless, I can get up to 100 MB/sec on one encrypted backup disk with a gzip-9 compressed backup via zfs send/receive. Depending on you CPU power, it will slow down significantly if you do not have many, many cores.

Best,
LnxBil

morph027 · Mar 20, 2016

If your CPU does AES-NI, then the LUKS overheade doesnt matter. I use this combination on many of my servers.

LnxBil · Mar 20, 2016

morph027: Yes, you're totally right. I haven't noticed until now. It is automatically loaded and used on newer machines (after 2008 according to intel).

Otto Rosario · Jun 9, 2016

Hi there. I'm using two 3T disks encrypted with luks and both are associated to a zpool as mirror. When created the zpool everything was good. Both disk show ONLINE and also the resilvered was completed. My situation and my issue is on the server reboot. As soon the server reboot, the zpool rpool is imported, which is ok. My other zpool associated to my two disks was not imported due to luks. Now, when I decrypt the first disk with the passphrase, the zpool associated to both disk begins to import (mount). In that moment, the zpool status show me the first disk ONLINE and the other UNAVAILABLE (An error with a label) and also the HEALTH of the zpool is DEGRATED. Even when I decrypt my second disk, the status does not change. The only work aroud that I have right now is to detach the second disk, reboot, decrypt both disks and attach both again. This process puts both disks ONLINE with also begining of the resilvered process. Exist anyway on reboot that just mount the zpool rpool only? STOP X-Name zpool from automount until I perform the mount once both disk are decrypted? Any information requiered, please let me know. My Proxmox version is: proxmox-ve: 4.2-52 (running kernel: 4.4.8-1-pve). Thanks.

morph027 · Jun 10, 2016

How do you decrypt the LUKS devices? During startup?

I'll have one disk, which i unlock via passphrase and all the others then gets unlocked using the derived key mechanism. This way, all disks or no one is there

morph027 · Jun 10, 2016

Also might try:

Code:

zpool set cachefile=none X-Name

The pool then should not be automatically imported.

Otto Rosario · Jun 10, 2016

As soon the server is up, my zpool is not mounted. I decrypt them using passphrase on both. I also tried put a key file on the first disk and tell the second to decrypt once the first was derypted. It works, but the issue is that the first disk is decrypted, the zpool begins the import before the second disk complete the decrypt process. With that, the zpool status shows as DEGRATED and the second disk UNAVAILABLE. If I do this process begining with the second disk, the result is the same but with the first disk UNAVAILABLE.

I will proceed wit your command and I will confirm the results. THANKS!!!

Otto Rosario · Jun 10, 2016

Code:

root@pve:~# zpool status
  pool: rpool
state: ONLINE
  scan: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        rpool       ONLINE       0     0     0
          sda2      ONLINE       0     0     0

Before reboot, I performed the chachefile command that you gave me. Above is how the zpool status looks on server up. Now, once I decrypt the fist disk, the zpool status looks like this:

Code:

root@pve:~# zpool status
  pool: X-Name
state: DEGRADED
status: One or more devices could not be used because the label is missing or
        invalid.  Sufficient replicas exist for the pool to continue
        functioning in a degraded state.
action: Replace the device using 'zpool replace'.
   see: http://zfsonlinux.org/msg/ZFS-8000-4J
  scan: resilvered 415G in 1h45m with 0 errors on Thu Jun  9 11:52:18 2016
config:

        NAME                     STATE     READ WRITE CKSUM
        X-Name            DEGRADED     0     0     0
          mirror-0               DEGRADED     0     0     0
            dm-name-NAS1         ONLINE       0     0     0
            9986966815428885507  UNAVAIL      0     0     0  was /dev/disk/by-id/dm-name-NAS2

errors: No known data errors

  pool: rpool
state: ONLINE
  scan: none requested
config:

        NAME        STATE     READ WRITE CKSUM
        rpool       ONLINE       0     0     0
          sda2      ONLINE       0     0     0

errors: No known data errors

Otto Rosario · Jun 10, 2016

Somthing that I see is that the cachefile value is - when reboot:

Code:

root@pve:~# zpool get cachefile X-Name
NAME           PROPERTY   VALUE      SOURCE
X-Name  cachefile  -          default

I set the cachefile again to none and I see the value:

Code:

root@pve:~# zpool set cachefile=none X-Name
root@pve:~# zpool get cachefile X-Name
NAME           PROPERTY   VALUE      SOURCE
X-Name  cachefile  none       local

Then I reboot the server. When UP, I check again the cachefile value:

Code:

root@pve:~# zpool get cachefile X-Name
cannot open 'X-Name': no such pool

I confirm now that the zpool is not available. When I decrypt the first disk, this is what I get:

Code:

root@pve:~# zpool get cachefile X-Name
NAME           PROPERTY   VALUE      SOURCE
X-Name  cachefile  -          default

For some reason, it does not save the cachefile value.

Any lines on mind?

Ovidiu · Jul 6, 2017

hakim said:
Hi,

In the page Storage: ZFS, you are listing "encryption" as one of the "General Advantages of ZFS", but there is nothing about how to use it.
Could you give some example to enable this feature ?

Thanks,
Hakim

Btw. this page also lists encryption as one of ZFS's advantages: https://pve.proxmox.com/wiki/ZFS_on_Linux

TheKingOfKats · Jul 7, 2017

Ovidiu said:
Btw. this page also lists encryption as one of ZFS's advantages: https://pve.proxmox.com/wiki/ZFS_on_Linux

I'm not sure why that has been on that page for so long, but there is a pull request in the works for OpenZFS on Linux that adds native encryption that will likely be merged within the next month or two and upstreamed a few months after that.

Patrick Zippenfenig · Aug 15, 2017

It has been merged today! https://github.com/zfsonlinux/zfs/pull/5769

Search

Search

ZFS and encryption

hakim

Well-Known Member

LnxBil

Distinguished Member

hakim

Well-Known Member

LnxBil

Distinguished Member

morph027

Renowned Member

LnxBil

Distinguished Member

Otto Rosario

New Member

morph027

Renowned Member

morph027

Renowned Member

Otto Rosario

New Member

Otto Rosario

New Member

Otto Rosario

New Member

Ovidiu

Renowned Member

TheKingOfKats

New Member

Patrick Zippenfenig

Active Member