andrebrait Posted August 14 Share Posted August 14 Note: this is mostly about ZFS pools. I have no idea how this would work for arrays. ZFS has the ability to create encrypted datasets, allowing a more granular control over encryption. Compared to LUKS, it has some clear advantages: 1. Encryption, like compression and other features, can be controlled at the dataset level, meaning one does not have to suffer the penalty of FDE via LUKS for the entire pool. 2. Snapshotting is faster (the data structures used for snapshotting itself aren't encrypted) and snapshots can be sent without disclosing the key, meaning off-site backups stay encrypted with full secrecy (and no overhead in decrypting anything during send) LUKS also has its own advantages, but this is besides the point for this feature request, as it can never do encryption for a single dataset (which becomes a share in unRAID) nor keep backups fully secret both in flight and at rest, out of the box, for off-site backups; which already answers the question "but isn't our LUKS support enough?" Unlocking it can be done in similar ways as to LUKS (password, keys locate in some external storage, etc.) so I think this is a matter of figuring out the tooling and GUI to support this. Ideally it should work exactly like LUKS does and ask for the password on array start. Open questions: should it ever allow the array to start with an unmounted encrypted dataset? I think the answer should be "no", but input is welcomed. References: it seems I'm not the first to talk about it here, but I could not find a real feature request: https://forums.unraid.net/topic/169948-best-way-to-load-key-and-mount-zfs-native-encryption-datasets/ Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.