- Joined
- Feb 2, 2018
- Messages
- 1,401
After offering support in the forum for a little while, I am baffled at how many people have pool encryption turned ON in their pool. Considering how often pool encryption turns to a self-inflicted ransomware, I wish to offer some input about that functionality and remember people how high risk and low benefit that feature can be.
For pool encryption like for every encryption, the security is entirely provided by the key. This is the golden rule of cryptography : No crypto solution can provide a security better than the security applied to its key. It is true for FreeNAS and ZFS.
So when doing pool encryption, how secure is the key ? In fact, not much... The key is clear text in the filesystem and protected only by access control to that file.
That creates the first limitation : as long as the drives are part of the system, their content it not protected by anything else than access control at filesystem level. Considering that their filesystem is already protected by such access control, the net value is a plain big ZERO.
If the access is remote, it will be served by the system. If access is granted to the data, they will be decrypted without any question. If access is denied, encryption is not helping because data are not accessed anyway.
If the access is local to the system, the key will be as easily accessible as the rest of the data. Because the key has no extra security, it will not provide any extra security to the data,
The only way to find a benefit is to separate the key that is in the system and the drive it encrypts. But even here, it is not such a great plus.
Considering how ZFS spreads the data over its drives, no single drive contains an intelligible part of the data. Except for a pool with a single mirror or a single drive, one can not recover anything intelligible from a single ZFS drive. There is a reason why there is no file recovery tools for ZFS. It is way too cryptographic by itself to extract anything meaningful if the pool is not working by itself. Add to that that usually, a drive is removed from a system when it starts failing, the probability of recovering anything from that drive is already close to 0. As for the swap space, that one is already encrypted anyway.
So the situation is:
No protection at all for any remote access to the system.
No protection at all for any physical access to the system.
No protection at all for the swap space because that one is already encrypted.
Low protection for the content of a drive once that drive is removed from the system.
On the other side, pool encryption is very high risk for the legitimate owner :
--Must do extra backups (and by the way, these backed up keys also reduce the encryption's security by increasing the chance for an intruder to get a copy of the key)
--Must do extra procedures during regular operations like disk replacement, pool migration, OS re-install and more.
At the end, if everything is done perfectly about it, pool encryption will provide almost no benefit. If done wrong, it will quickly ruins the entire pool.
If data need encryption at rest, it is a million time better to do it at application level instead of filesystem level. Many applications offer a much better key management solution. Such an encryption will not have any effect on ZFS and the pool itself, so no increased risk when managing FreeNAS. Considering that usually it is not 100% of the data that requires encryption, the risk of an encryption problem will be limited to what was encrypted instead of the entire pool.
I would say that pool encryption is like deduplication :
you almost certainly don't need it even if you think you do.
Almost certainly, it will not do you any good, even if you imagine it will.
Almost certainly, it will easily and quickly betray you down the road, ruining what could have been a very good solution in every other aspect.
For pool encryption like for every encryption, the security is entirely provided by the key. This is the golden rule of cryptography : No crypto solution can provide a security better than the security applied to its key. It is true for FreeNAS and ZFS.
So when doing pool encryption, how secure is the key ? In fact, not much... The key is clear text in the filesystem and protected only by access control to that file.
That creates the first limitation : as long as the drives are part of the system, their content it not protected by anything else than access control at filesystem level. Considering that their filesystem is already protected by such access control, the net value is a plain big ZERO.
If the access is remote, it will be served by the system. If access is granted to the data, they will be decrypted without any question. If access is denied, encryption is not helping because data are not accessed anyway.
If the access is local to the system, the key will be as easily accessible as the rest of the data. Because the key has no extra security, it will not provide any extra security to the data,
The only way to find a benefit is to separate the key that is in the system and the drive it encrypts. But even here, it is not such a great plus.
Considering how ZFS spreads the data over its drives, no single drive contains an intelligible part of the data. Except for a pool with a single mirror or a single drive, one can not recover anything intelligible from a single ZFS drive. There is a reason why there is no file recovery tools for ZFS. It is way too cryptographic by itself to extract anything meaningful if the pool is not working by itself. Add to that that usually, a drive is removed from a system when it starts failing, the probability of recovering anything from that drive is already close to 0. As for the swap space, that one is already encrypted anyway.
So the situation is:
No protection at all for any remote access to the system.
No protection at all for any physical access to the system.
No protection at all for the swap space because that one is already encrypted.
Low protection for the content of a drive once that drive is removed from the system.
On the other side, pool encryption is very high risk for the legitimate owner :
--Must do extra backups (and by the way, these backed up keys also reduce the encryption's security by increasing the chance for an intruder to get a copy of the key)
--Must do extra procedures during regular operations like disk replacement, pool migration, OS re-install and more.
At the end, if everything is done perfectly about it, pool encryption will provide almost no benefit. If done wrong, it will quickly ruins the entire pool.
If data need encryption at rest, it is a million time better to do it at application level instead of filesystem level. Many applications offer a much better key management solution. Such an encryption will not have any effect on ZFS and the pool itself, so no increased risk when managing FreeNAS. Considering that usually it is not 100% of the data that requires encryption, the risk of an encryption problem will be limited to what was encrypted instead of the entire pool.
I would say that pool encryption is like deduplication :
you almost certainly don't need it even if you think you do.
Almost certainly, it will not do you any good, even if you imagine it will.
Almost certainly, it will easily and quickly betray you down the road, ruining what could have been a very good solution in every other aspect.