VM disk images on top of ZFS - at what layer should I encrypt?

I am running virtual machines on top of a ZFS-backed Linux. My initial plan for the VM images had been to use EXT4 in QCOW2 files on ZFS - one dataset per disk image.
Now I realized that some of the disk images will have to be encrypted at rest. Should I keep the setup I had in mind – EXT4 in QCOW2 in ZFS dataset, with LUKS inside of the VM added to the mix – or is this a bad idea and I should place the encryption in the hands of ZFS? Should I then use zvols instead of datasets/QCOW2?
I would prefer the virtual machine to unlock the encrypted data. But it would not be a deal-breaker if the host is where key material needs to be entered in order to access the data.
I realize that placing the encryption in the hands of the VM would neuter ZFS compression, but that I can live with.
At the moment, I don’t think I will snapshot or replicate the disks that will need to be encrypted. But it might be interesting anyway, what considerations would have to be made with respect to that.

I’ll defer to anyone who actually knows the answer.

Were I faced with that situation, I’d try different alternatives to see which works best, both in terms of convenience and performance. If possible, test with the intended workload or the closest simulation you can produce. AFAIK, there is not a difference in security between the variants, but I’m open to suggestions otherwise.

I don’t necessarily purport to know the exact answer, but I think logic in my head is leading towards encrypting the virtual machine itself, viewing the zfs dataset more as a platform for the VM.

My rationale would be that if you export the VM qcow2 to another platform it would still be encrypted, while if someone got onto the machine with the zfs dataset it lived on already unlocked and exported then it would be open season.

Happy to get opinions and not pretending it’s the only way to do do things.

1 Like

If you can live with the lack of ZFS compression, go LUKS. If you can’t live with it, encrypt the dataset at the ZFS level.

Either way is fine, really; but LUKS has more person years of battle testing and you already have a desire to manage encryption inside the VM, so that seems like the obvious right answer for you, whether or not it’s the right answer for everyone.

1 Like