ZFS encryption?

J

justjosh

Active Member
Nov 4, 2019
99
0
26
59
I'm looking at the docs on ZOL and it seems a little dated? I've set up a new zpool via GUI and there was no option to add encryption. However, when running zpool get feature@encryption, the pool already has encryption=on. Does this mean there is already some sort of key encryption by default?

Thanks!
 
Hi,

no this means only the pool has the capability to encrypt datasets.
 
wolfgang said:
Hi,

no this means only the pool has the capability to encrypt datasets.
Click to expand...
Hello,

Thank you for the reply. Is there a way to implement boot time decryption without risking the key itself? It seems pretty problematic if the host reboots and everything stops working until someone SSHs in to decrypt the zpool.
 
You could use a USB thumb drive to store the key. But in the end if the thumb drive is attached to the device all the time, where is the benefit?
Another option would be to have a "network attached USB" but again - that is nothing built in.

From my perspective the encryption on a pool level only helps you if a drive was stolen or defective, and you have returned to the manufacturer.
If someone grabs the whole box/server, including the thumb drive you store your keys on - it is the same as if you would have never encrypted anything.

Encryption is a great (and necessary) thing, but it has its challenges, especially on reboots / power outages.
One reason why I was moving the encryption part into the VMs.

I can bring up my virtualization system as well as all main services (including VPN). Then taking care of the encrypted datasets.
 
tburger said:
You could use a USB thumb drive to store the key. But in the end if the thumb drive is attached to the device all the time, where is the benefit?
Another option would be to have a "network attached USB" but again - that is nothing built in.

From my perspective the encryption on a pool level only helps you if a drive was stolen or defective, and you have returned to the manufacturer.
If someone grabs the whole box/server, including the thumb drive you store your keys on - it is the same as if you would have never encrypted anything.

Encryption is a great (and necessary) thing, but it has its challenges, especially on reboots / power outages.
One reason why I was moving the encryption part into the VMs.

I can bring up my virtualization system as well as all main services (including VPN). Then taking care of the encrypted datasets.
Click to expand...
Would two layer encryption take a huge performance penalty or create any other problems? Even if I move encryption to VM level, I'll still need some form of base encryption to protect the data if I need to RMA inaccessible drives.
 
Why would you actually want to do that?
If you segregate your data from the OS (which I would advise anyways) there is no need to have double encryption.
When you sent in a drive, even if someone inspects it he will find OS boot drive data - but not the current data you would like to protect. That is still on the disk, but encrypted.
In my opinion all the OS data is irrelevant (ok, I am not using the VMs as personal Workstation with Temp Files etc. - but even if. You could redirect this information to a dedicated drive)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom