[pve-devel] ZFS encryption

Andreas Steinel a.steinel at gmail.com
Wed Apr 4 16:22:43 CEST 2018


On Wed, Apr 4, 2018 at 4:02 PM, Fabian Grünbichler
<f.gruenbichler at proxmox.com> wrote:
>> > do you have specific use cases in mind?
>> You mean besides fulfilling GDPR?
>
> I meant more from a technical point of view ;) the reasons for wanting
> to encrypt stuff are rather obvious, although there are a lot.

Best would be if you could do some kind of separation that is possible
with hardened version of Linux in which you cannot access all files as root.
This can then be used for GDPR-compliance on multi-hosted ZFS-based
PVE installations.

Such a mechanism exists for Oracle EE Databases with the Encryption feature
that allows the DBA to manage the DB, but he cannot see or touch any data
inside of the database.

>> > Grub does not currently support the ZoL encryption, and I am not sure if
>> > and when it will get support. that means it would probably not work out
>> > of the box for the root dataset (unless we switch to a completely
>> > different boot approach, which does not seem very likely at the moment).
>> > it is per dataset though, so encrypting the guest datasets should be
>> > possible without much hassle.
>>
>> Yes, that'll going to be hard. LUKS is better at this with preboot
>> authentication and stuff like that.
>
> Grub can even decrypt LUKS on its own, so you can have just the
> stage1(.5) unencrypted :)

That's great, but I seldomly use this in a server setup, where we need external
authentication/password input.

> I am sure the integration of the key loading will be improved further
> the closer the 0.8 release gets - right now the native encryption is
> still very much in a "see which stuff fails" kind of state, although
> there are already quite a few people over in #zfsonlinux that use it
> quite heavily.

and that is great. We need those people.

-- 
With kind regards / Mit freundlichen Grüßen

Andreas Steinel
M.Sc. Visual Computing
M.Sc. Informatik



More information about the pve-devel mailing list