13

Does ZFS on Linux already support Encryption? If not, is it planned?

I found tons of info for ZFS+LUKS but that's absolutely uninteresting: I want ZFS encryption so that I can do replication using zfs send to an "untrusted" backup server. I.e., zfs send fragments should be encrypted.

If ZoL does not support encryption, is there a more elegant way other than creating zVols and using LUKS+EXT on top of it (loosing many ZFS advantages)?

divB
  • 538
  • 1
  • 6
  • 22
  • `zfs send | gpg` works well. Don't make things more complicated than you have to. – Michael Hampton Jul 01 '14 at 04:39
  • 2
    I probably just wouldn't store my backups there... – ewwhite Jul 01 '14 at 04:40
  • @MichaelHampton: You are right but then on the other hand I can't receive it on the backup target. The idea would be to do zfs send and work completely with inkremental snapshots. From the backup server in turn, the snapshots should again be archived to another location. Or does this still work with GPG too? (BTW: I assume to gpg pipe does not create much overhead right?) – divB Jul 01 '14 at 06:22
  • @ewwhite: Maybe but you don't know my setup. In any case: It is my own server with own drive (i.e., no WAN/internet). I still want the stuff to be encrypted because it is not stored in the server rack as the server is. – divB Jul 01 '14 at 06:23

5 Answers5

9

Not yet.

Work's in progress

ZFS Crypto support · Issue #494 · zfsonlinux/zfs · GitHub (2011-12-14)

ZFS Encryption by tcaputi · Pull Request #4329 · zfsonlinux/zfs (2016-02-11) – 593 parts to the conversation, "… too big for github to handle effectively … moving it to a new PR …"

ZFS Encryption by tcaputi · Pull Request #5769 · zfsonlinux/zfs (2017-02-09)

References

How to Manage ZFS Data Encryption (Darren Moffat, Oracle, 2012-07-23)

ZFS Native Encryption by Tom Caputi - YouTube (2016-10-10)

Native encryption coming to OpenZFS! zfs create -o encryption=on. Thank you Tom Caputi @datto (Matthew Ahrens, 2017-03-17)

Alternatives to the works in progress

As others have pointed out, you do have the option of LUKS – Linux Unified Key Setup – on ZFS on Linux (ZoL).

steakunderscore
  • 233
  • 2
  • 5
  • Parallel work in progress: [Native data and metadata encryption for zfs by lundman · Pull Request #124 · openzfs/openzfs](https://github.com/openzfs/openzfs/pull/124) – Graham Perrin Mar 29 '17 at 18:24
  • 1
    Worth noting that Tom Caputi's pull request #5769 linked above was merged to master last year, but isn't expected to be released until 0.8.0 (despite the fact that there have been several 0.7.x releases since it was merged: point release include cherry-picked patches that are considered important and stable, and encryption is considered too major to be included in one) – Jules Mar 10 '18 at 00:51
7

Typically for folks using ZoL that want encryption, encryptfs isn't desireable because you lose both performance and fuctionality.

ZFS works best when it is the filesystem, not when you layer others on top of it (again, you can, but it's suboptimal). This is what encryptfs does (layers an encrypted filesystem on top of ZFS), and exactly why you see so much about LUKS (which works the other way around - it can configure ZFS on top of an encrypted container which is managed by the kernel - very performant for what it's doing and you don't lose any ZFS features.

Unforunately, as others have noted, ZoL does in fact not include native filesystem encryption such as in the Oracle implementation at this time. You've got to layer your encryption above (encryptfs) or below (LUKS) the ZFS magic.

Chris Tonkinson
  • 465
  • 2
  • 6
  • 18
5

No, ZFS on Linux doesn't support native encryption. Another option is encryptfs, but at this juncture, you're not going to find a native solution.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • The post states the reason is that Oracle hasn't released the source. But doesn't FreeBSD support the encryption? Then I wonder why WoL does not ... In any case, thanks for the ecryptfs pointer I will think about it ... – divB Jul 01 '14 at 06:26
  • Ok, I just see ecryptfs does not support ACLs unfortunately. So no option :-( – divB Jul 01 '14 at 06:28
  • 1
    I thought I'd seen something about FreeNAS' encrypted-ZFS support, but can't readily find it. The take-away of it, however, was that FreeNAS just uses the FreeBSD equivalent of running ZFS on top of LUKS. @divB – user Jul 12 '14 at 13:18
2

In Arch Linux using zfs-dkms-git will currently give you the 0.8.0_rc1 kernel modules with native encryption. See Github 0.8.0 Milestone for progress.

  • When you create the encrypted devices the default option uses aes-256-ccm. If you do not need deduplication you will get better performance using -o encryption=aes-256-gcm

  • Check for native encryption support with:

    grep ZFS_PROP_ENCRYPTION /usr/src/zfs-*/include/sys/fs/zfs.h

Stuart Cardall
  • 531
  • 4
  • 7
0

The commit was merged and now version 0.7.1 supports full native encryption on linux.

Ural
  • 161
  • 6
  • I've just tried 0.7.6, and it is definitely not included as yet. Comments on reddit suggest that it won't be merged into the 0.7.x branch, and therefore won't be released until 0.8.0 is released. – Jules Mar 10 '18 at 00:53