Home / server / Questions / 609155
In Process
divB
Asked: 2014-07-01 20:36:22 +0800 CST

Encryption with ZFS on linux

  • 772

Does ZFS on Linux already support Encryption? If not, is it planned?

I found tons of info for ZFS+LUKS but that's absolutely uninteresting: I want ZFS encryption so that I can do replication using zfs send to an "untrusted" backup server. I.e., zfs send fragments should be encrypted.

If ZoL does not support encryption, is there a more elegant way other than creating zVols and using LUKS+EXT on top of it (loosing many ZFS advantages)?

zfs

5 Answers

  1. Not yet.

    Work's in progress

    ZFS Crypto support · Issue #494 · zfsonlinux/zfs · GitHub (2011-12-14)

    ZFS Encryption by tcaputi · Pull Request #4329 · zfsonlinux/zfs (2016-02-11) – 593 parts to the conversation, "… too big for github to handle effectively … moving it to a new PR …"

    ZFS Encryption by tcaputi · Pull Request #5769 · zfsonlinux/zfs (2017-02-09)

    References

    How to Manage ZFS Data Encryption (Darren Moffat, Oracle, 2012-07-23)

    ZFS Native Encryption by Tom Caputi - YouTube (2016-10-10)

    Native encryption coming to OpenZFS! zfs create -o encryption=on. Thank you Tom Caputi @datto (Matthew Ahrens, 2017-03-17)

    Alternatives to the works in progress

    As others have pointed out, you do have the option of LUKS – Linux Unified Key Setup – on ZFS on Linux (ZoL).

    • 9

  2. Typically for folks using ZoL that want encryption, encryptfs isn't desireable because you lose both performance and fuctionality.

    ZFS works best when it is the filesystem, not when you layer others on top of it (again, you can, but it's suboptimal). This is what encryptfs does (layers an encrypted filesystem on top of ZFS), and exactly why you see so much about LUKS (which works the other way around - it can configure ZFS on top of an encrypted container which is managed by the kernel - very performant for what it's doing and you don't lose any ZFS features.

    Unforunately, as others have noted, ZoL does in fact not include native filesystem encryption such as in the Oracle implementation at this time. You've got to layer your encryption above (encryptfs) or below (LUKS) the ZFS magic.

    • 7

  3. No, ZFS on Linux doesn't support native encryption. Another option is encryptfs, but at this juncture, you're not going to find a native solution.

    • 5

  4. In Arch Linux using zfs-dkms-git will currently give you the 0.8.0_rc1 kernel modules with native encryption. See Github 0.8.0 Milestone for progress.

    • When you create the encrypted devices the default option uses aes-256-ccm. If you do not need deduplication you will get better performance using -o encryption=aes-256-gcm

    • Check for native encryption support with:

      grep ZFS_PROP_ENCRYPTION /usr/src/zfs-*/include/sys/fs/zfs.h

    • 2

  5. The commit was merged and now version 0.7.1 supports full native encryption on linux.

    • 0