[FreeBSD] Encrypted ZFS Production Ready


I’m setting up a server that will be placed in a very remote location and i’m thinking about encrypting all disks using GEIL+ZFS. Has anyone run such setup for a longer period of time? Are there any issues that i need to be aware of? I’ll have IPMI access to the machine in case something bad happens, apart from that i’ll have no access to the device.

Any comments and real life stories would be appreciated :slight_smile:

1 Like

The only issues I’ve seen people run into revolve around raw-send encrypted replication sometimes getting a bit wonky. I wouldn’t really advise having raw-send encrypted replication as your only form of backup, if it’s going to be in the mix at all, but aside from that I don’t have any concerns or caveats about OpenZFS native encryption specifically.

Why “specifically?” Well, I do have other concerns and caveats, but they apply equally to GELI, LUKS, BitLocker, and so forth–to wit, encryption means you’re playing for all the marbles, so don’t get caught slipping on your backup and recovery game!

1 Like

AFAIR FreeBSD uses GEIL by default when running encrypted ZFS root?
The goal of this machine is to be an off-site backup for my other devices and i think that it would be easier to have just encrypted pool for backup and stuff but have been wrong before :wink:

Depends on what you mean by “encrypted root”. You can’t actually encrypt ZFS at the pool level; native ZFS encryption happens at the individual dataset/zvol level.

You can set FreeBSD up to use either GELI (traditional full-disk encryption) or native OpenZFS encryption. The latter doesn’t prevent an attacker from enumerating the list of datasets and zvols and snapshots, but does not allow an attacker to know anything about the contents beyond the number of on-disk storage blocks used to contain them.