panz
Guru
- Joined
- May 24, 2013
- Messages
- 556
So, current encryption in FreeNAS is not implemented the right way. Would you mind elaborating the concept? I'm very interested.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Do I really need encryption?
- Thread starter panz
- Start date
- Status
So, current encryption in FreeNAS is not implemented the right way. Would you mind elaborating the concept? I'm very interested.
DaPlumber
Patron
- Joined
- May 21, 2014
- Messages
- 246
5th paragraph for better current work- arounds.
;):p"Plug in" code modules like compression would be ideal. As an interesting experiment I wonder if anyone's tried creating a pseudo compression module for ZFS that actually does encryption?
DaPlumber
Patron
- Joined
- May 21, 2014
- Messages
- 246
Because both are virtualizing (lying about) disk device access. ZFS is a "clean sheet" architecture that assumes dumb JBODs. Do you really want an error in encryption or decryption being interpreted as a disk error? Think about potential deadlocks and timeouts in parallel processing of the two code paths, and so on.
BTW this is a FreeBSD (and others) issue with how ZFS is implemented in the OS, not a FreeNAS issue per se.
I have played with client side encryption on a non encrypted zpool.
For example, non-encrypted zpool exporting an iscsi lun. Windows mounts that iscsi lun. Truecrypt on windows encrypts it and formats with ntfs, assigning a drive letter on the windows box.
Compression on freenas will be useless as the freenas contents are all 100% random data. But you get a zfs backed (bit rot protected) encrypted ntfs drive 'local' (as in shows up in disk manager, not an SMB share) to your windows machine. Feel free to snapshot / replicate it as well. (note you're not properly quesing the filesystem before snapshots, so each snapshot will be of a 'dirty' ntfs drive.) Also note that simply 'adding' data to the ntfs drive will result in 'changed' data on the zpool. So snapshots will have higher overhead as they have to track the old 'freespace encrypted to random data' changing to 'non freespace encrypted to different random data'. So snapshots could also be a security concern since someone could easily tell which portions of the random data are changing, and when. Might make plausible deny ability harder.
This also offloads the encryption to the windows box too. So you don't need to worry about the freenas cpu supporting aes-ni. And even without aes-ni on the desktop, truecrypts software encryption being multithreaded, most cpu's should manage gigabit with too much issue.
For example, non-encrypted zpool exporting an iscsi lun. Windows mounts that iscsi lun. Truecrypt on windows encrypts it and formats with ntfs, assigning a drive letter on the windows box.
Compression on freenas will be useless as the freenas contents are all 100% random data. But you get a zfs backed (bit rot protected) encrypted ntfs drive 'local' (as in shows up in disk manager, not an SMB share) to your windows machine. Feel free to snapshot / replicate it as well. (note you're not properly quesing the filesystem before snapshots, so each snapshot will be of a 'dirty' ntfs drive.) Also note that simply 'adding' data to the ntfs drive will result in 'changed' data on the zpool. So snapshots will have higher overhead as they have to track the old 'freespace encrypted to random data' changing to 'non freespace encrypted to different random data'. So snapshots could also be a security concern since someone could easily tell which portions of the random data are changing, and when. Might make plausible deny ability harder.
This also offloads the encryption to the windows box too. So you don't need to worry about the freenas cpu supporting aes-ni. And even without aes-ni on the desktop, truecrypts software encryption being multithreaded, most cpu's should manage gigabit with too much issue.
DaPlumber
Patron
- Joined
- May 21, 2014
- Messages
- 246
If done on the client end to an (e.g.) iSCSI exported lvol, yes that's what I was talking about, but not on the FreeNAS server end. Better (IMO) from a security and architectural perspective, but not neccessarily from that of performance or ease-of-administration.
- Status
Similar threads
