Jump to content

Encrypted datasets in ZFS pools


Recommended Posts

Note: this is mostly about ZFS pools. I have no idea how this would work for arrays.

 

ZFS has the ability to create encrypted datasets, allowing a more granular control over encryption.

 

Compared to LUKS, it has some clear advantages:

 

1. Encryption, like compression and other features, can be controlled at the dataset level, meaning one does not have to suffer the penalty of FDE via LUKS for the entire pool.

2. Snapshotting is faster (the data structures used for snapshotting itself aren't encrypted) and snapshots can be sent without disclosing the key, meaning off-site backups stay encrypted with full secrecy (and no overhead in decrypting anything during send)

 

LUKS also has its own advantages, but this is besides the point for this feature request, as it can never do encryption for a single dataset (which becomes a share in unRAID) nor keep backups fully secret both in flight and at rest, out of the box, for off-site backups; which already answers the question "but isn't our LUKS support enough?"

 

Unlocking it can be done in similar ways as to LUKS (password, keys locate in some external storage, etc.) so I think this is a matter of figuring out the tooling and GUI to support this. 

 

Ideally it should work exactly like LUKS does and ask for the password on array start.

 

Open questions: should it ever allow the array to start with an unmounted encrypted dataset? I think the answer should be "no", but input is welcomed.

 

References: it seems I'm not the first to talk about it here, but I could not find a real feature request: https://forums.unraid.net/topic/169948-best-way-to-load-key-and-mount-zfs-native-encryption-datasets/

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...