Datasets encryption

giom · Aug 7, 2013

Hi,

I'm setting up a hp proliant microserver n54l with freenas with 4 hard disks in raidz 1 (I know it's not ideal but I can't afford a 5th hard disk right now)... Since there's no native aes-ni support, the full disk encryption would be too slow so I have not setup full disk encryption.

However, I do have some sensitive data and wanted to encrypt some datasets. I understand that right now it's not possible because oracle hasn't opensourced zfs v30 which offers encryption. So I'm looking for alternatives...

If it were linux, I'd just create a loopback device and encrypt that device, it would cause some loss of performance (by having a separate filesystem inside a file) and reliability but would work. What would you recommend in Freebsd?

Is there a way for me to estimate the speed I'd get if I did use full disk encryption instead? And how much slower it would be compared to without?

I did some test following a post from cyberjock: http://forums.freenas.org/threads/encryption-performance-benchmarks.12157/

$ dd if=/dev/gzero.eli of=/dev/null bs=1m count=4096
4096+0 records in
4096+0 records out
4294967296 bytes transferred in 79.109020 secs (54291752 bytes/sec)

Thanks

cyberjock · Aug 7, 2013

Encryption of datasets is not supported with FreeNAS. FreeNAS uses whole disk encpryption, which is a higher layer than the dataset.

The best alternative I can think of is to use something like Truecrypt and create a container file on your network share. Then your data will be encrypted on the server and you have the advantage of the encryption/decryption being handled on your desktop.

Stephen Neal · Feb 25, 2014

Hi,

I have a HP Proliant G7 N54L 2.2GHz MicroServer and require some help with disk configuration.

FreeNAS-9.2.1.1-RELEASE-x86 (0da7233) insstalled with four 250GB hard drives all being read in the BIOS and available when installing the FREEnas OS.

When logging onto the config page only three HD's are availble and the USB stick.

Attached is a screenshot of the drives available to me.

Can anybody help?

Sorry i've added you guys because I can't find out hot to post!

Cheers

Steve

joelmusicman · Feb 25, 2014

Stephen Neal said:
Sorry i've added you guys because I can't find out hot to post!

PLEASE don't take this the wrong way, but maybe FreeNAS isn't for you? It has a pretty steep learning curve...

cyberjock · Feb 25, 2014

Sure, I'll help you. I take paypal. ;)

Stephen Neal · Feb 26, 2014

Its ok I figured it out! The 250GB disk that came with the HP Proliant server isn't compatible with FREENas the other drive I have are.

Hahaha PayPal very good!

Stephen Neal · Feb 26, 2014

Do you have any particular hints on good plug ins to use?

cyberjock · Feb 26, 2014

Stephen Neal said:
Do you have any particular hints on good plug ins to use?

Sorry, that's what the topic of this thread is about.

phier · May 2, 2016

hi,
is there any update? still no possibility for encryption within dataset?

cyberjock · May 2, 2016

phier said:
hi,
is there any update? still no possibility for encryption within dataset?

Not unless that feature is added to OpenZFS. AFAIK there isn't the intention of adding this. But this is a question best asked (and answered by) people in the OpenZFS project since they would have to add support.

phier · May 11, 2016

cyberjock said:
Not unless that feature is added to OpenZFS. AFAIK there isn't the intention of adding this. But this is a question best asked (and answered by) people in the OpenZFS project since they would have to add support.

in that case is it possible to install something as encFS inside freenas?

cyberjock · May 12, 2016

Not really.

phier · May 12, 2016

ok so what about installing jail and inside the jail - fusefs-encfs ... so then its same thing as on a linux with encfs?

phier · May 12, 2016

well i tried PEFS also but looks line noone of this solution works... both requires to load modules into kernel... which is forbiden inside jail....

last idea ... to install linux in virtual box ... to export dataset via nfs into linux and do this encfs/ inside the linux box... ?

cyberjock · May 12, 2016

No idea. I don't deal with linux.

styno · May 12, 2016

It is not clear what you exactly want to achieve and how many concurrent connections you'll have, but if you are going to mount and crypt it on another server then why don't you do all of that directly on the client?

anodos · May 12, 2016

If I need to use encryption, I create a truecrypt / veracrypt volume and store it on a share.

EsTaF · Nov 7, 2017

A truecrypt/veracrypt is container. This is not an encryption method over fs.
You can't share that one for several samba user computers, and the encfs/pefs can.

Ericloewe · Nov 9, 2017

EsTaF said:
A truecrypt/veracrypt is container. This is not an encryption method over fs.
You can't share that one for several samba user computers, and the encfs/pefs can.

That's a moot point with native ZFS encryption coming soon.

Important Announcement for the TrueNAS Community.

Datasets encryption

Cadet

Inactive Account

Cadet

Patron

Inactive Account

Cadet

Cadet

Inactive Account

Patron

Inactive Account

Patron

Inactive Account

Patron

Patron

Inactive Account

Patron

Sambassador

Contributor

Server Wrangler

Similar threads