ZFS encryption?

justjosh

Member
Nov 4, 2019
93
0
11
58
I'm looking at the docs on ZOL and it seems a little dated? I've set up a new zpool via GUI and there was no option to add encryption. However, when running zpool get feature@encryption, the pool already has encryption=on. Does this mean there is already some sort of key encryption by default?

Thanks!
 
Hi,

no this means only the pool has the capability to encrypt datasets.
 
Hi,

no this means only the pool has the capability to encrypt datasets.
Hello,

Thank you for the reply. Is there a way to implement boot time decryption without risking the key itself? It seems pretty problematic if the host reboots and everything stops working until someone SSHs in to decrypt the zpool.
 
You could use a USB thumb drive to store the key. But in the end if the thumb drive is attached to the device all the time, where is the benefit?
Another option would be to have a "network attached USB" but again - that is nothing built in.

From my perspective the encryption on a pool level only helps you if a drive was stolen or defective, and you have returned to the manufacturer.
If someone grabs the whole box/server, including the thumb drive you store your keys on - it is the same as if you would have never encrypted anything.

Encryption is a great (and necessary) thing, but it has its challenges, especially on reboots / power outages.
One reason why I was moving the encryption part into the VMs.

I can bring up my virtualization system as well as all main services (including VPN). Then taking care of the encrypted datasets.
 
You could use a USB thumb drive to store the key. But in the end if the thumb drive is attached to the device all the time, where is the benefit?
Another option would be to have a "network attached USB" but again - that is nothing built in.

From my perspective the encryption on a pool level only helps you if a drive was stolen or defective, and you have returned to the manufacturer.
If someone grabs the whole box/server, including the thumb drive you store your keys on - it is the same as if you would have never encrypted anything.

Encryption is a great (and necessary) thing, but it has its challenges, especially on reboots / power outages.
One reason why I was moving the encryption part into the VMs.

I can bring up my virtualization system as well as all main services (including VPN). Then taking care of the encrypted datasets.
Would two layer encryption take a huge performance penalty or create any other problems? Even if I move encryption to VM level, I'll still need some form of base encryption to protect the data if I need to RMA inaccessible drives.
 
Why would you actually want to do that?
If you segregate your data from the OS (which I would advise anyways) there is no need to have double encryption.
When you sent in a drive, even if someone inspects it he will find OS boot drive data - but not the current data you would like to protect. That is still on the disk, but encrypted.
In my opinion all the OS data is irrelevant (ok, I am not using the VMs as personal Workstation with Temp Files etc. - but even if. You could redirect this information to a dedicated drive)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!