For a system using ZFS that means that each GELI-encrypted disk in a pool has to be decrypted before the pool can be imported, which adds to the complexity of systems with many disks.Worse, ZFS is not aware that it is operating on top of encrypted devices. At boot time, each GELI-protected disk has to be decrypted before system boot can continue and the overlying filesystem can be mounted.
GELI disk encryption: think of this as a filesystem-agnostic “all or nothing” encryption mechanism which protects physical block devices (disks) below the filesystem layer. Let’s look at that distinction more closely: To over-simplify, GELI encrypts disks while OpenZFS encrypts datasets. It then provides examples for creating and managing encrypted datasets.įrom an end-user implementation perspective, the biggest difference between GELI and OpenZFS native encryption is what gets encrypted. This article begins by summarizing the user-facing differences between FreeBSD GELI disk encryption and OpenZFS native encryption, covering their benefits and limitations.
OPENZFS NATIVE ENCRYPTION HOW TO
If you’ve used FreeBSD’s GELI encryption in the past, you may have questions regarding the differences between the two encryption schemes, whether you should switch to OpenZFS native encryption, and how to implement it in your environment. On a fast nvme drive you might see a slight slow down due to encryption, but not on a spinning disc.Beginning with version 13.0, FreeBSD supports the long-anticipated OpenZFS native encryption feature. # Algorithm | Key | Encryption | Decryption This does no support aes-gcm but aes-cbc which is significantly slower than aes-gcm: cryptsetup benchmark I can also check with “ cryptsetup benchmark”. There is no way that encryption slows down the raid10 which performance at about 200-300 MB/s.
The 'numbers' are in 1000s of bytes per second processed. If I test the speed on my PC with openssl I get: openssl speed -evp aes-256-gcm The discs are significantly slower which gives the CPU plenty of time to do the encryption. The CPU is encrypting too fast to slow down the read/write process.
OPENZFS NATIVE ENCRYPTION FULL
grub definitely does not have full zfs encryption support without a separate boot pool with many features disabled. im not sure if refind by itself has zfs support including encrypted pools. Zfs set org.zfsbootmenu:commandline=“rw loglevel=0 quiet nomodeset” zpendeavouros/ROOT/eos/root "Boot to menu" "zbm.prefer= ro quiet loglevel=0 zbm.show"Īfter that kernel commandline needs to be set with zfs parameters like this in the directory where you place the zfsbootmenu.EFI binary add a file labeled refind_nf containing the following: "Boot default" "zbm.prefer= ro quiet loglevel=0 zbm.skip"
OPENZFS NATIVE ENCRYPTION INSTALL
refind install from within a chroot can be done with refind-install -usedefault /dev/path to install drive. after replacing the hooks as described in my previous post and rebuilding the initramfs simply add the efi binary from to /boot/efi/EFI/zbm or whatever efi folder you want to dump it in. Zfsbootmenu combined with refind is effective for native zfs encryption and even natively supports booting from zfs snapshots.
0 kommentar(er)
