Full Disk Encryption question.. found in nightlies...

[cyberjock]

So I'm pretty sure I'm about to get my head chopped off for asking a question about a feature that is only in the nightlies, and I realize that the answer is subject to change without notice but I just have to ask...

The new full disk encryption feature that looks like is in the works for 8.3.1, will it be something where you must enable it when you create the zpool or is it something you can implement in currently existing pools?

I tend to think it's something that must be enabled with new zpools, hence the feature is part of creating a zpool, but I just wanted to know if anyone knows. A friend and I were talking about FDE and this question came up...

Thanks!

 

[dbanck]

Very good question!
I'm currently assembling my hardware, so it would be good to know if I better wait for 8.3.1 before setting up any pools.

 

[cyberjock]

I have a friend that is weeks from having FreeNAS and he would REALLY like to know if he should wait for 8.3.1 for the FDE or if he is okay to migrate now and "upgrade" the zpool to FDE later.

 

[paleoN]

I shouldn't really respond as I'm not up on the latest changes, and I'm not actually sure of the initial code either. From the earlier commit messages and what I understood of the code back when I looked at it, you can only do this at pool creation.

 

[cyberjock]

I shouldn't really respond as I'm not up on the latest changes, and I'm not actually sure of the initial code either. From the earlier commit messages and what I understood of the code back when I looked at it, you can only do this at pool creation.

That's disappointing. At least I got an answer either way. I was really worried I'd get no answer at all.

I was pretty much expecting that the encryption would have to be setup at pool creation.

 

[bollar]

Oracle only supports encryption on creation in ZFSv30, so it makes sense that other versions would operate similarly. I would worry about deploying encryption now. It's not undoable and its portability is limited -- it's almost a one way decision like dedupe...

 

[James]

This is the description that will be going into the "what's new" section when the encrypted version becomes available:

[http://www.freebsd.org/cgi/man.cgi?query=geli GELI] full disk encryption now available when creating ZFS volumes. This is full disk encryption and ''' ''not'' ''' per-filesystem encryption. This type of encryption is primarily targeted at users who store sensitive data and want to retain the ability to remove disks from the pool without having to first wipe the disk's contents.

This is not based on version 30, so it is different from Oracle's encryption mechanism. It instead uses FreeBSD's GELI mechanism. GELI was introduced in FreeBSD 6.0.

 

[cyberjock]

Thank you admin for the feedback. Nice to get some info. A friend is considering FDE a requirement before he goes to FreeNAS.

Do you have a timeframe of when the developers are expecting to have 8.3.1 released? Just the month is plenty fine, and obviously can change at any time. I'm sure he'll ask the question and I'm curious myself since he'll want to evaluate his options for the future based on when its roughly expected. Depending on when you are hoping to have it out may determine how he proceeds with his server upgrades. I thought I had read something about Dec 2012 but I'm not sure where I saw that.