There are basically two approaches to ZFS encryption:
Let's start by tackling LUKS below ZFS. I imagine system where each hard drive is encrypted separately. Actual ZFS volumes are built on top of virtual devices.
Advantages:
ZFS native encryption is an all-in-one solution. Has some additional abilities like scrubs without keys loaded at expense of disclosing more about data stored. I don't think these additional abilities have big value for me (I will always be able to load keys/ensure keys are loaded when scrub/other tasks are to be executed).
Advantages:
What is your look on this? How is raid0 issue related to LUKS below ZFS? Do you think that native encryption is safe/stable/efficient enough? Anything missing?
- LUKS/GELI hard drives (below ZFS)
- ZFS native encytpion
Let's start by tackling LUKS below ZFS. I imagine system where each hard drive is encrypted separately. Actual ZFS volumes are built on top of virtual devices.
Advantages:
- LUKS is a pretty standard solution. Hopefully there was enough time to handle security issues inherent to any new crypto solution.
- Because disks are encrypted directly, encryption of files stored in the logical volume build on top of it naturally parallelizes on physical disks layer.
- ZFS no longer has direct access to the hardware. Is it a big deal? If one disk starts failing (for example has bad sectors) how is that going to look like for ZFS?
ZFS native encryption is an all-in-one solution. Has some additional abilities like scrubs without keys loaded at expense of disclosing more about data stored. I don't think these additional abilities have big value for me (I will always be able to load keys/ensure keys are loaded when scrub/other tasks are to be executed).
Advantages:
- ZFS has direct access to hardware.
- Relatively new crypto solutions. Can have (unknown) security vulnerabilities. Fixing them might require change of data format (as already had in the past).
- What is the performance? In this model we probably don't have the parallelization opportunity (raw copy to another devices is possible, so keys are not tied to hard disks).
What is your look on this? How is raid0 issue related to LUKS below ZFS? Do you think that native encryption is safe/stable/efficient enough? Anything missing?