Zfs encryption property for freebsd 8.3
Hi, I want to encrypt some disk on my server with Zfs encryption property but it is not available. Are there anybody have got an experience about this? [url]http://docs.oracle.com/cd/E23824_01/html/821-1448/gkkih.html#scrolltoc[/url] [url]http://www.oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html[/url] These are good explanations but I got an error and output shows all property; [root@HP ~]# zpool status pool: output state: ONLINE scan: none requested config: NAMESTATE READ WRITE CKSUM output ONLINE 0 0 0 ad0s1eONLINE 0 0 0 errors: No known data errors [root@HP ~]# zfs create -o encryption=on output/home cannot create 'output/home': invalid property 'encryption' [root@HP ~]# zfs get encryption bad property list: invalid property 'encryption' usage: get [-rHp] [-d max] [-o all | field[,...]] [-t type[,...]] [-s source[,...]] all | property[,...] [filesystem|volume|snapshot] ... The following properties are supported: PROPERTY EDIT INHERIT VALUES availableNO NO size clones NO NO dataset[,...] compressratioNO NO 1.00x or higher if compressed creation NO NO date defer_destroyNO NO yes | no mounted NO NO yes | no origin NO NO snapshot refcompressratio NO NO 1.00x or higher if compressed referenced NO NO size type NO NO filesystem | volume | snapshot used NO NO size usedbychildren NO NO size usedbydatasetNO NO size usedbyrefreservation NO NO size usedbysnapshots NO NO size userrefs NO NO count written NO NO size aclinherit YES YES discard | noallow | restricted | passthrough | passthrough-x aclmode YES YES discard | groupmask | passthrough | restricted atime YES YES on | off canmountYES NO on | off | noauto casesensitivity NO YES sensitive | insensitive | mixed checksumYES YES on | off | fletcher2 | fletcher4 | sha256 compression YES YES on | off | lzjb | gzip | gzip-[1-9] | zle copies YES YES 1 | 2 | 3 dedup YES YES on | off | verify | sha256[,verify] devices YES YES on | off execYES YES on | off jailed YES YES on | off logbias YES YES latency | throughput mlslabelYES YES sensitivity label mountpoint YES YES path | legacy | none nbmand YES YES on | off normalizationNO YES none | formC | formD | formKC | formKD primarycacheYES YES all | none | metadata quota YES NO size | none readonlyYES YES on | off recordsize YES YES 512 to 128k, power of 2 refquotaYES NO size | none refreservation YES NO size | none reservation YES NO size | none secondarycache YES YES all | none | metadata setuid YES YES on | off sharenfsYES YES on | off | share(1M) options sharesmbYES YES on | off | sharemgr(1M) options snapdir YES YES hidden | visible syncYES YES standard | always | disabled utf8only NO YES on | off version YES NO 1 | 2 | 3 | 4 | 5 | current volblocksize NO YES 512 to 128k, power of 2 volsize YES NO size vscan YES YES on | off xattr YES YES on | off userused@... NO NO size groupused@...NO NO size userquota@... YES NO size | none groupquota@... YES NO size | none written@snap NO NO size Sizes are specified in bytes with standard units such as K, M, G, etc. User-defined properties can be specified by using a name containing a colon (:). The {user|group}{used|quota}@ properties must be appended with a user or group specifier of one of these forms: POSIX name (eg: matt) POSIX id(eg: 126829) SMB name@domain (eg: matt@sun) SMB SID (eg: S-1-234-567-89) [root@HP ~]# - How can I use or add encryption property to FreeBsd 8.3? ___
Re: Zfs encryption property for freebsd 8.3
Le 03/09/2013 14:14, Emre Çamalan a écrit : Hi, I want to encrypt some disk on my server with Zfs encryption property but it is not available. That would require ZFS v30. As far as I am aware Oracle has not released the code under CDDL. From http://forums.freebsd.org/showthread.php?t=30036 So you can use ZFS pools on GELI volumes, it can be a good start. I not play with it. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) signature.asc Description: OpenPGP digital signature
Re: Zfs encryption property for freebsd 8.3
On Tue, Sep 3, 2013 at 6:22 AM, Florent Peterschmitt flor...@peterschmitt.fr wrote: Le 03/09/2013 14:14, Emre Çamalan a écrit : Hi, I want to encrypt some disk on my server with Zfs encryption property but it is not available. That would require ZFS v30. As far as I am aware Oracle has not released the code under CDDL. Oracle's ZFS encryption is crap anyway. It works at the filesystem level, not the pool level, so a lot of metadata is in plaintext; I don't remember how much exactly. It's also highly vulnerable to watermarking attacks. From http://forums.freebsd.org/showthread.php?t=30036 So you can use ZFS pools on GELI volumes, it can be a good start. I not play with it. GELI is full-disk encryption. It's far superior to ZFS encryption. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org
Re: Zfs encryption property for freebsd 8.3
Le 03/09/2013 16:53, Alan Somers a écrit : GELI is full-disk encryption. It's far superior to ZFS encryption. Yup, but is there a possibility to encrypt a ZFS volume (not a whole pool) with a separate GELI partition? Also, in-ZFS encryption would be a nice thing if it could work like an LVM/LUKS where each logical LVM volume can be encrypted or not and have its own crypt key. I saw that Illumos has ZFS encrytion in the TODO list. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) signature.asc Description: OpenPGP digital signature
Re: Zfs encryption property for freebsd 8.3
On Tue, Sep 3, 2013 at 9:01 AM, Florent Peterschmitt flor...@peterschmitt.fr wrote: Le 03/09/2013 16:53, Alan Somers a écrit : GELI is full-disk encryption. It's far superior to ZFS encryption. Yup, but is there a possibility to encrypt a ZFS volume (not a whole pool) with a separate GELI partition? You mean encrypt a zvol with GELI and put a file system on that? I suppose that would work, but I bet that it would be slow. Also, in-ZFS encryption would be a nice thing if it could work like an LVM/LUKS where each logical LVM volume can be encrypted or not and have its own crypt key. My understanding is that this is exactly how Oracle's ZFS encryption works. Each ZFS filesystem can have its own key, or be in plaintext. Every cryptosystem involves a tradeoff between security and convenience, and ZFS encryption goes fairly hard toward convenience. In particular, Oracle decided that encrypted files must be deduplicatable. A necessary result is that they are trivially vulnerable to watermarking attacks. https://blogs.oracle.com/darren/entry/zfs_encryption_what_is_on I saw that Illumos has ZFS encrytion in the TODO list. -- Florent Peterschmitt | Please: flor...@peterschmitt.fr| * Avoid HTML/RTF in E-mail. +33 (0)6 64 33 97 92 | * Send PDF for documents. http://florent.peterschmitt.fr | * Trim your quotations. Really. Proudly powered by Open Source | Thank you :) ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to freebsd-hackers-unsubscr...@freebsd.org