This means you can perform scrubs, resilvers, snapshots, replication, and other maintenance tasks on unmounted, encrypted datasets, without requiring access to the key.Īll of ZFS’ data integrity checks understand native encryption, even when the encrypted datasets are unmounted. The biggest benefit is that you don’t need to mount encrypted datasets (which requires key access) in order to run ZFS administrative tasks using the zfs or zpool commands. Benefits of OpenZFS Native Encryptionįrom a system administrator’s perspective, there are many benefits to using native encryption rather than running ZFS on top of GELI-encrypted disks. On a system with datasets encrypted with OpenZFS native encryption, bootup occurs normally but encrypted datasets aren’t mounted until the key is loaded.
Openzfs uninitialized zfs dataset password#
With regards to inputting the passphrase for a key: on a GELI system, the password prompt for the key happens early in the boot process once decryption occurs, the system continues to load as usual. This offers the flexibility to mix encrypted and non-encrypted datasets in the same pool and means that you do not have to decrypt all datasets when mounting or importing a pool.
OpenZFS Dataset Encryption: in contrast to “all or nothing” encryption, OpenZFS native encryption is applied on a per-dataset basis. It is recommended to not choose this option during installation if you are going to use the OpenZFS native encryption support. NOTE: The 13.0 installer implements GELI if you choose the “encryption” option in the guided ZFS section of the installer. For a system using ZFS that means that each GELI-encrypted disk in a pool has to be decrypted before the pool can be imported, which adds to the complexity of systems with many disks.Worse, ZFS is not aware that it is operating on top of encrypted devices. At boot time, each GELI-protected disk has to be decrypted before system boot can continue and the overlying filesystem can be mounted. GELI disk encryption: think of this as a filesystem-agnostic “all or nothing” encryption mechanism which protects physical block devices (disks) below the filesystem layer. Let’s look at that distinction more closely: To over-simplify, GELI encrypts disks while OpenZFS encrypts datasets. It then provides examples for creating and managing encrypted datasets.įrom an end-user implementation perspective, the biggest difference between GELI and OpenZFS native encryption is what gets encrypted. This article begins by summarizing the user-facing differences between FreeBSD GELI disk encryption and OpenZFS native encryption, covering their benefits and limitations.
Openzfs uninitialized zfs dataset how to#
If you’ve used FreeBSD’s GELI encryption in the past, you may have questions regarding the differences between the two encryption schemes, whether you should switch to OpenZFS native encryption, and how to implement it in your environment. Beginning with version 13.0, FreeBSD supports the long-anticipated OpenZFS native encryption feature.
0 kommentar(er)
