Can ZFS be encrypted?

Posted on by David Darling

Can ZFS be encrypted?

ZFS encryption is integrated with the ZFS command set. Like other ZFS operations, encryption operations such as key changes and rekey are performed online. You can use your existing storage pools as long as they are upgraded. You have the flexibility of encrypting specific file systems.

How do you mount encrypted ZFS?

If you want to mount a file system with an encryption policy set to passphrase,prompt at boot time, you will need to either explicitly mount it with the zfs mount command and specify the passphrase or use the zfs key –l command to be prompted for the key after the system is booted.

How do you encrypt ZFS pool?

Let’s do it

  1. Generate encryption key. sudo dd if=/dev/random of=/root/.zfs-encrypt.key bs=1 count=32.
  2. Create encrypted ZFS pool.
  3. /etc/systemd/system/zfs-load-key.service.
  4. Enable key load service.
  5. Initial pool configuration.
  6. Create ZFS datasets and configure them.
  7. Checking if TLER is supported.
  8. Enabling TLER.

Is ZFS secure?

The zFS file system is the only physical file system with support for security labels in a multilevel-secure environment.

How does ZFS encryption work?

A final note: ZFS doesn’t actually encrypt your data directly with a supplied passphrase; it encrypts your data with a pseudo-randomly generated master-key. Your passphrase unlocks that master-key, which then becomes available for use working with the volume itself!

What is Luks disk encryption?

LUKS Disk Encryption. LUKS is a platform-independent disk encryption specification originally developed for the Linux OS. LUKS is a de-facto standard for disk encryption in Linux, facilitating compatibility among various Linux distributions and providing secure management of multiple user passwords.

How strong is ZFS encryption?

ZFS encrypts data with AES-256 in GCM mode by default, with options for 128, 192 or 256-bit keys and CCM or GCM modes. Information about the encryption algorithm, key length and mode is stored in the encryption metadata.

How stable is ZFS?

ZFS is licensed under the Common Development and Distribution License (CDDL). Described as “The last word in filesystems”, ZFS is stable, fast, secure, and future-proof. Being licensed under the CDDL, and thus incompatible with GPL, it is not possible for ZFS to be distributed along with the Linux Kernel.

Is ZFS encryption slow?

ZFS native encryption is very slow compared to non-encrypted datasets and ZFS on LUKS. It shouldn’t be a CPU throughput problem, as both cryptsetup and Openssl reach very high speeds during benchmarks.

Why is ZFS so good?

Huge Storage potential When ZFS was created, it was designed to be the last word in file systems. At a time when most file systems where 64-bit, the ZFS creators decided to jump right to 128-bit to future proof it. This means that ZFS “offers 16 billion billion times the capacity of 32- or 64-bit systems”.

Is LUKS encryption safe?

Yes, it is secure. Ubuntu uses AES-256 to encrypt the disk volume and has a cypher feedback to help protect it from frequency attacks and others attacks that target statically encrypted data. As an algorithm, AES is secure and this has been proved by crypt-analysis testing.