The future of the ZFS native encryption

The developer of the ZFS native encryption, Tom Caputi, has left the project. It seems that the code has not been developed since Tom left.

The leadership says, the encryption feature works for most people. There seems to be a few bugs related to snapshots and raw zfs send in special situations, but no one has lost data.

But as other features are developed, Openzfs probably needs to develop encryption code as well. Are there new people that might take up on the encryption code in the near future?

Or the feature might at some point be dropped? Or perhaps it will remain as it is, tracking the number of bugs?

Anyone has some inside information?!


Short answer: no, encryption support is not going anywhere.

Really, its standard open source stuff. People come, people go, companies come, companies go. Whoever is around at any given moment has limited time available and have their own interests and agenda and whatever to work on. And yes, that sucks if there’s no one with the time or know-how to work on the particular thing you’re interested in, but that’s what open source is.

On encryption in particular, it actually really does work for most people. Its being used in production at plenty of sites, and there’s plenty of interest from more. And for most of them, it just works.

Yes, there’s a relatively rare interaction with replication that causes a crash. And it sucks, I get it! But, its extremely difficult to reproduce reliably enough to be able to fix it. I know, because I spent an afternoon some months ago reading code and trying to trip it, and my entire backup regime is all built on encryption and replication, partly because I want to increase the odds of hitting it. So its not that no one cares, its just not easy, and there’s not enough hours in the day.

As for the broader question of whether or not encryption is being developed at all, it really depends on what you’re looking for, but even just a simple search for PRs about ‘encryption’ turns up a variety of things, from tooling tweaks and quality-of-life improvements to larger improvements like new ciphersuites and hardware acceleration.

So I don’t really see any evidence that encryption is not being worked on or has been abandoned. There’s just a bug that no one has a handle on yet. It’ll be understood and fixed eventually, I have no doubt of that.


T. Caputi’s offer to review ZFS encryption work was renewed today:

“I would be more than happy to talk to anyone / review any work someone makes towards a PR though.”

1 Like

@robn Do you see any bigger risks to running encrypted ZFS replication on Linux hosts vs BSD hosts? I’ve heard remarks that the issue has been seen less on BSD but that’s a little more out of my comfort zone. Current rigs are Rocky 9 (DKMS) which has been super solid all the way around (but I’m not using ZFS native encryption yet)