365NEWSX
365NEWSX
Subscribe

Welcome

A quick-start guide to OpenZFS native encryption - Ars Technica

A quick-start guide to OpenZFS native encryption - Ars Technica

A quick-start guide to OpenZFS native encryption - Ars Technica
Jun 23, 2021 1 min, 10 secs

One of the many features OpenZFS brings to the table is ZFS native encryption.

First introduced in OpenZFS 0.8, native encryption allows a system administrator to transparently encrypt data at-rest within ZFS itself.

There's more to OpenZFS native encryption than the algorithms used, though—so we'll try to give you a brief but solid grounding in the sysadmin's-eye perspective on the "why" and "what" as well as the simple "how.".

A clever sysadmin who wants to provide at-rest encryption doesn't actually need OpenZFS native encryption, obviously.

Unfortunately, encryption-atop-ZFS introduces a new problem—it effectively nerfs OpenZFS inline compression, since encrypted data is generally incompressible.

OpenZFS native encryption splits the difference: it operates atop the normal ZFS storage layers and therefore doesn't nerf ZFS' own integrity guarantees.

OpenZFS native encryption isn't a full-disk encryption scheme—it's enabled or disabled on a per-dataset / per-zvol basis, and it cannot be turned on for entire pools as a whole.

The contents of encrypted datasets or zvols are protected from at-rest spying—but the metadata describing the datasets/zvols themselves is not.

Let's say we create an encrypted dataset named pool/encrypted, and beneath it we create several more child datasets.

It's worth noting that trying to ls an encrypted dataset which doesn't have its key loaded won't necessarily produce an error:.

Now that we've both loaded the necessary key and mounted the datasets, we can see our encrypted data again

Summarized by 365NEWSX ROBOTS

RECENT NEWS

SUBSCRIBE

Get monthly updates and free resources.

CONNECT WITH US

© Copyright 2024 365NEWSX - All RIGHTS RESERVED