[FreeBSD] Encrypted ZFS Production Ready

Hello,

I’m setting up a server that will be placed in a very remote location and i’m thinking about encrypting all disks using GEIL+ZFS. Has anyone run such setup for a longer period of time? Are there any issues that i need to be aware of? I’ll have IPMI access to the machine in case something bad happens, apart from that i’ll have no access to the device.

Any comments and real life stories would be appreciated :slight_smile:

1 Like

The only issues I’ve seen people run into revolve around raw-send encrypted replication sometimes getting a bit wonky. I wouldn’t really advise having raw-send encrypted replication as your only form of backup, if it’s going to be in the mix at all, but aside from that I don’t have any concerns or caveats about OpenZFS native encryption specifically.

Why “specifically?” Well, I do have other concerns and caveats, but they apply equally to GELI, LUKS, BitLocker, and so forth–to wit, encryption means you’re playing for all the marbles, so don’t get caught slipping on your backup and recovery game!

1 Like

AFAIR FreeBSD uses GEIL by default when running encrypted ZFS root?
The goal of this machine is to be an off-site backup for my other devices and i think that it would be easier to have just encrypted pool for backup and stuff but have been wrong before :wink:

Depends on what you mean by “encrypted root”. You can’t actually encrypt ZFS at the pool level; native ZFS encryption happens at the individual dataset/zvol level.

You can set FreeBSD up to use either GELI (traditional full-disk encryption) or native OpenZFS encryption. The latter doesn’t prevent an attacker from enumerating the list of datasets and zvols and snapshots, but does not allow an attacker to know anything about the contents beyond the number of on-disk storage blocks used to contain them.

About ten years ago, I built a TrueNAS (previously known as FreeNAS) box. This is basically FreeBSD. It has been running GELI + ZFS RAID-Z2 the whole time without issue. I had to replace one disk, but that was no issue. GELI has worked well for me.

Don’t forget to back up your GELI key.

I didn’t quite much like having to enter a password when the system boots or powers on from a power failure. I’d still like it much better if zroot/ROOT and other system datasets weren’t encrypted so that the system can boot fine and in case the other datasets didn’t mount at least the server is online and you can ssh into it and mount the other datasets. So I prefer ZFS native encryption where you would just encrypt the one dataset with the important backup data. Or well save the decryption key on the fs, but then what even is the point of encryption.