ZFS Encryption - LUKS and EXT4 within ZVOL


I am interested in encrypting my data but have heard that ZFS native encryption might have some stability issues. Additionally I would like to archive my data via ZFS snapshots to an untrusted third party. I was reading A quick-start guide to OpenZFS native encryption | Ars Technica and I was just wondering apart from not being able to use compression would creating a ZVOL within which a LUKS encrypted EXT4 filesystem solve this issue?

Are their big performance hits? Does anyone do this? Would sending a zfs snapshot of the ZVOL whilst the partition is being used be encrypted such that the third party couldn’t read the data?

Thanks so much for all of the help that you all have given me so far, it has been outstanding as I begin to grapple with ZFS.


My understanding is that these issues are not a blocker in most use cases.

Tarsnap and rsync.net are two different ways among many others to achieve this.

No, because you can’t snapshot it cleanly, because…

… the filesystem would be in an inconsistent state at the moment of the snapshot because ZFS would be entirely unaware of both the LUKS and the ext4 filesystem, as you’d be reducing it to a block storage device and that’s it.


Fantastic I might need to give native encryption another look.

Could you rely on the journaling in EXT4 or maybe run a pre snapshot fsfreeze command to fix the inconsistency problem?

I’ll have to give those services a look, they seem interesting.


Honestly, I’ve been using zfs native encryption since it was available, and nary a problem. This is on multiple system, including root-on-zfs laptops. I do zfs send/recv in multiple directions for redundant backups, both encrypted and non-encrypted. No issues at all.

Unless it’s for a VM disk image or similar, putting an ext4 filesystem inside a zvol doesn’t really buy you anything. It definitely makes snapshots non-deterministic, since you can’t control the state of the ext4 filesystem inside. The zfs snapshot will be fine, but who knows about the ext4 filesystem inside.

You can LUKS-encrypt a whole disk and do zfs on top of that - that’s a good solution for laptops as the entire disk is encrypted except for the boot partition. Or you can boot from a usb stick, have nothing on disk unencrypted. The problem becomes how to encrypt backups - you can do zfs native encryption on top of LUKS there, but that’s kind of … why ?

I used to do LUKS with zfs on top, and it worked well. But now with zfs native encryption, things are much simpler. I have backups in almost all variations …

  • Unencrypted → unencrypted (trusted) backup box (straight zfs send/recv)
  • Encrypted → unencrypted (trusted) backup box (straight zfs send/recv)
  • Unencrypted → encrypted (trusted) backup box (I maintain keys on backup box)
  • Encrypted → encrypted (untrusted) backup box (zfs send -w to send raw encrypted stream)

Look into zfsbootmenu - that goes on your boot partition and is the only thing non-encrypted. Everything else is zfs with appropriately encrypted datasets. In general you don’t want to encrypt the entire zfs pool, you only encrypt specific datasets - much more flexibility.

Have a look at my root-on-zfs setup - an opinionated way to set up root-on-zfs with optional native or LUKS encryption, and uses zfsbootmenu.

Pretty much all my systems everywhere are set up via this, including laptops.

1 Like

Yes, you can rely on ext4 journaling. Note that you do also need to keep an eye out for any database engines; those will need to offer journaling (like postgres, mssql, and MySQL innodb, but NOT like MySQL myisam!) as well.

Finally, any applications that use those DB engines need to be properly transactional, or you can end up with one of several linked queries running without the rest–leaving the database consistent, but the data in the database inconsistent from the application perspective (think of invoice line items being created without an invoice to associate them with, for example).

It’s getting fairly rare for applications these days not to be built crash consistent, so you shouldn’t be panicky about this. But it’s not UNHEARD of anymore either, so you do need to at least be aware and paying attention.

1 Like

Fantastic, great to hear.

You wouldn’t happen to know if the nextcloud docker image (not all in one) is one of those applications that is properly transactional?

Thanks very much for the help

Awesome, great to hear that native ZFS encryption is pretty reliable.

As far as using EXT4 within a ZVOL I was hoping that it would allow me to replicate the snapshot to, for instance rsync.net, in such a way that they were unable to read the data because the ZVOL is encrypted with LUKS. Basically hoping to get the benefits of raw send without using native encryption.

Thanks again for the help