ZFS encryption?

justjosh

Member
Nov 4, 2019
73
0
6
55
I'm looking at the docs on ZOL and it seems a little dated? I've set up a new zpool via GUI and there was no option to add encryption. However, when running zpool get feature@encryption, the pool already has encryption=on. Does this mean there is already some sort of key encryption by default?

Thanks!
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
6,254
434
103
Hi,

no this means only the pool has the capability to encrypt datasets.
 

justjosh

Member
Nov 4, 2019
73
0
6
55
Hi,

no this means only the pool has the capability to encrypt datasets.
Hello,

Thank you for the reply. Is there a way to implement boot time decryption without risking the key itself? It seems pretty problematic if the host reboots and everything stops working until someone SSHs in to decrypt the zpool.
 

tburger

Active Member
Oct 13, 2017
375
43
33
37
You could use a USB thumb drive to store the key. But in the end if the thumb drive is attached to the device all the time, where is the benefit?
Another option would be to have a "network attached USB" but again - that is nothing built in.

From my perspective the encryption on a pool level only helps you if a drive was stolen or defective, and you have returned to the manufacturer.
If someone grabs the whole box/server, including the thumb drive you store your keys on - it is the same as if you would have never encrypted anything.

Encryption is a great (and necessary) thing, but it has its challenges, especially on reboots / power outages.
One reason why I was moving the encryption part into the VMs.

I can bring up my virtualization system as well as all main services (including VPN). Then taking care of the encrypted datasets.
 

justjosh

Member
Nov 4, 2019
73
0
6
55
You could use a USB thumb drive to store the key. But in the end if the thumb drive is attached to the device all the time, where is the benefit?
Another option would be to have a "network attached USB" but again - that is nothing built in.

From my perspective the encryption on a pool level only helps you if a drive was stolen or defective, and you have returned to the manufacturer.
If someone grabs the whole box/server, including the thumb drive you store your keys on - it is the same as if you would have never encrypted anything.

Encryption is a great (and necessary) thing, but it has its challenges, especially on reboots / power outages.
One reason why I was moving the encryption part into the VMs.

I can bring up my virtualization system as well as all main services (including VPN). Then taking care of the encrypted datasets.
Would two layer encryption take a huge performance penalty or create any other problems? Even if I move encryption to VM level, I'll still need some form of base encryption to protect the data if I need to RMA inaccessible drives.
 

tburger

Active Member
Oct 13, 2017
375
43
33
37
Why would you actually want to do that?
If you segregate your data from the OS (which I would advise anyways) there is no need to have double encryption.
When you sent in a drive, even if someone inspects it he will find OS boot drive data - but not the current data you would like to protect. That is still on the disk, but encrypted.
In my opinion all the OS data is irrelevant (ok, I am not using the VMs as personal Workstation with Temp Files etc. - but even if. You could redirect this information to a dedicated drive)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!