[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-hackers
Subject:    Re: Mounting encrypted ZFS datasets/GELI for users?
From:       Eric McCorkle <eric () metricspace ! net>
Date:       2020-10-31 19:48:00
Message-ID: 794d789d-4056-4152-e7f6-bf9d10d42518 () metricspace ! net
[Download RAW message or body]

On 10/26/20 6:12 PM, John-Mark Gurney wrote:
> Eric McCorkle wrote this message on Mon, Oct 05, 2020 at 09:45 -0400:
>> I'm presently looking into options presented by ZFS encryption.  One
>> idea I had was something like this (I'm going to go with ZFS for now,
>> but you could presumably do something like this with GELI, with more
>> effort).
> 
> I'd still recommend using GELI.  Even w/ ZFS's native encryption, the
> metadata for ZFS remains unencrypted, and able to be munged.  If you
> geli w/ ZFS and a strong checksum, like sha512/256, I believe that this
> is the equiavlent to authenticated encryption, ala geli's authenticated
> mode, but with significantly less overhead...

Something to note is that GELI's authenticated mode changes the block
size, because it uses the last bytes in each block to hold the MAC.
This is likely to have consequences for performance.

However, this also does suggest a ZFS feature that would create a MAC
code for the root block of the filesystem (I am less familiar with the
ZFS on-disk format, but as it's a write-once format with MAC information
stored at each block pointer, this would have the effect of protecting
the entire filesystem from offline tampering.


> This has already been implemented in PEFS:
> https://pefs.io/
> 
> and there's already a port for it:
> https://www.freshports.org/sysutils/pefs-kmod/

Thanks, I'll look into this.
_______________________________________________
freebsd-hackers@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]