Zfs encryption property for freebsd 8.3
Hi,
I want to encrypt some disk on my server with Zfs encryption property but it is
not available.
Are there anybody have got an experience about this?
[url]http://docs.oracle.com/cd/E23824_01/html/821-1448/gkkih.html#scrolltoc[/url]
[url]http://www.oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html[/url]
These are good explanations but I got an error and output shows all property;
[root@HP ~]# zpool status
pool: output
state: ONLINE
scan: none requested
config:
NAMESTATE READ WRITE CKSUM
output ONLINE 0 0 0
ad0s1eONLINE 0 0 0
errors: No known data errors
[root@HP ~]# zfs create -o encryption=on output/home
cannot create 'output/home': invalid property 'encryption'
[root@HP ~]# zfs get encryption
bad property list: invalid property 'encryption'
usage:
get [-rHp] [-d max] [-o all | field[,...]] [-t type[,...]] [-s
source[,...]]
all | property[,...] [filesystem|volume|snapshot] ...
The following properties are supported:
PROPERTY EDIT INHERIT VALUES
availableNO NO size
clones NO NO dataset[,...]
compressratioNO NO 1.00x or higher if compressed
creation NO NO date
defer_destroyNO NO yes | no
mounted NO NO yes | no
origin NO NO snapshot
refcompressratio NO NO 1.00x or higher if compressed
referenced NO NO size
type NO NO filesystem | volume | snapshot
used NO NO size
usedbychildren NO NO size
usedbydatasetNO NO size
usedbyrefreservation NO NO size
usedbysnapshots NO NO size
userrefs NO NO count
written NO NO size
aclinherit YES YES discard | noallow | restricted |
passthrough | passthrough-x
aclmode YES YES discard | groupmask | passthrough |
restricted
atime YES YES on | off
canmountYES NO on | off | noauto
casesensitivity NO YES sensitive | insensitive | mixed
checksumYES YES on | off | fletcher2 | fletcher4 | sha256
compression YES YES on | off | lzjb | gzip | gzip-[1-9] | zle
copies YES YES 1 | 2 | 3
dedup YES YES on | off | verify | sha256[,verify]
devices YES YES on | off
execYES YES on | off
jailed YES YES on | off
logbias YES YES latency | throughput
mlslabelYES YES sensitivity label
mountpoint YES YES path | legacy | none
nbmand YES YES on | off
normalizationNO YES none | formC | formD | formKC | formKD
primarycacheYES YES all | none | metadata
quota YES NO size | none
readonlyYES YES on | off
recordsize YES YES 512 to 128k, power of 2
refquotaYES NO size | none
refreservation YES NO size | none
reservation YES NO size | none
secondarycache YES YES all | none | metadata
setuid YES YES on | off
sharenfsYES YES on | off | share(1M) options
sharesmbYES YES on | off | sharemgr(1M) options
snapdir YES YES hidden | visible
syncYES YES standard | always | disabled
utf8only NO YES on | off
version YES NO 1 | 2 | 3 | 4 | 5 | current
volblocksize NO YES 512 to 128k, power of 2
volsize YES NO size
vscan YES YES on | off
xattr YES YES on | off
userused@... NO NO size
groupused@...NO NO size
userquota@... YES NO size | none
groupquota@... YES NO size | none
written@snap NO NO size
Sizes are specified in bytes with standard units such as K, M, G, etc.
User-defined properties can be specified by using a name containing a colon (:).
The {user|group}{used|quota}@ properties must be appended with
a user or group specifier of one of these forms:
POSIX name (eg: matt)
POSIX id(eg: 126829)
SMB name@domain (eg: matt@sun)
SMB SID (eg: S-1-234-567-89)
[root@HP ~]#
-
How can I use or add encryption property to FreeBsd 8.3?
___
Re: Zfs encryption property for freebsd 8.3
Le 03/09/2013 14:14, Emre Çamalan a écrit : Hi, I want to encrypt some disk on my server with Zfs encryption property but it is not available. That would require ZFS v30. As far as I am aware Oracle has not released the code under CDDL. From http://forums.freebsd.org/showthread.php?t=30036 So you can use ZFS pools on GELI volumes, it can be a good start. I not play with it. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) signature.asc Description: OpenPGP digital signature
Re: Zfs encryption property for freebsd 8.3
On Tue, Sep 3, 2013 at 6:22 AM, Florent Peterschmitt flor...@peterschmitt.fr wrote: Le 03/09/2013 14:14, Emre Çamalan a écrit : Hi, I want to encrypt some disk on my server with Zfs encryption property but it is not available. That would require ZFS v30. As far as I am aware Oracle has not released the code under CDDL. Oracle's ZFS encryption is crap anyway. It works at the filesystem level, not the pool level, so a lot of metadata is in plaintext; I don't remember how much exactly. It's also highly vulnerable to watermarking attacks. From http://forums.freebsd.org/showthread.php?t=30036 So you can use ZFS pools on GELI volumes, it can be a good start. I not play with it. GELI is full-disk encryption. It's far superior to ZFS encryption. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Zfs encryption property for freebsd 8.3
Le 03/09/2013 16:53, Alan Somers a écrit : GELI is full-disk encryption. It's far superior to ZFS encryption. Yup, but is there a possibility to encrypt a ZFS volume (not a whole pool) with a separate GELI partition? Also, in-ZFS encryption would be a nice thing if it could work like an LVM/LUKS where each logical LVM volume can be encrypted or not and have its own crypt key. I saw that Illumos has ZFS encrytion in the TODO list. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) signature.asc Description: OpenPGP digital signature
Re: Zfs encryption property for freebsd 8.3
On Tue, Sep 3, 2013 at 9:01 AM, Florent Peterschmitt flor...@peterschmitt.fr wrote: Le 03/09/2013 16:53, Alan Somers a écrit : GELI is full-disk encryption. It's far superior to ZFS encryption. Yup, but is there a possibility to encrypt a ZFS volume (not a whole pool) with a separate GELI partition? You mean encrypt a zvol with GELI and put a file system on that? I suppose that would work, but I bet that it would be slow. Also, in-ZFS encryption would be a nice thing if it could work like an LVM/LUKS where each logical LVM volume can be encrypted or not and have its own crypt key. My understanding is that this is exactly how Oracle's ZFS encryption works. Each ZFS filesystem can have its own key, or be in plaintext. Every cryptosystem involves a tradeoff between security and convenience, and ZFS encryption goes fairly hard toward convenience. In particular, Oracle decided that encrypted files must be deduplicatable. A necessary result is that they are trivially vulnerable to watermarking attacks. https://blogs.oracle.com/darren/entry/zfs_encryption_what_is_on I saw that Illumos has ZFS encrytion in the TODO list. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
