I have created ZFS pool using zfs native encryption on FreeBSD. It seems to work fine but I want to be sure that the pool is encrypted. How can i check it?
Is using zfs native encryption on FreeBSD a good idea or should i stick with GELI + ZFS?
Create a dummy encrypted pool using a sparse raw file, put a text file in the pool, then export it. After exporting, grep the sparse file for a (fairly complex) text string from the file you saved to the pool. Now, repeat the same steps with a dummy unencrypted pool. You should see a valid return from grep on the unencrypted pool, and none from the encrypted one.
I’d probably go with ZFS native encryption over GELI. Especially if you’re building a multi disk pool.
The test that @mercenary_sysadmin suggests is good. You can also use the following command to check the properties related to encryption on dataset.
For example given the a test dataset tank/vault
:
# zfs get encryption,keylocation,keyformat,encryptionroot,keystatus -o name,property,value tank/vault
NAME PROPERTY VALUE
tank/vault encryption aes-256-gcm
tank/vault keylocation prompt
tank/vault keyformat passphrase
tank/vault encryptionroot tank/vault
tank/vault keystatus unavailable
We can see here that the above data set is encrypted with aes-256-gcm
; it uses a passphrase to unlock it (keyformat
); and that the key is not loaded (keystatus
).