You heard right!

Click here to read about the github commit

Tom Caputi has signed off on the patch for encryption in ZFS on Linux! The part that really caught my eye reads:

The last addition is the ability to do raw, encrypted

sends and receives. The idea here is to send raw

encrypted and compressed data and receive it exactly

as is on a backup system. This means that the dataset

on the receiving system is protected using the same

user key that is in use on the sending side. By doing

so, datasets can be efficiently backed up to an

untrusted system without fear of data being

compromised.

That’s excellent! So, you’ll be able to replicate encrypted data to another site for redundancy/DR purposes while utilizing the original encryption scheme and keys. No need to manage keys on each device!

Now to get this (and previous builds for hole_birth fixes) incorporated into Ubuntu repositories…

If you’re not familiar with this topic at all, check out this great video highlighting how it works:

Some people have called attention to the fact that some ZFS metadata is not encrypted. This caused some stirring in the stands on various ZoL boards, etc. The reality is that the data that is not encrypted is pretty trivial and or impossible to encrypt. These data include:

Dataset/Snapshot names

Dataset properties (ala zfs get information)

Pool layout

ZFS structure

Deduplication tables (though we all know the implications of using this)

Everything in RAM

So really, the metadata not encrypted will not result in anyone reading your actual data!

Great job to Tom and the rest of the ZoL team – appreciate all your hard work.

Share this: Twitter

Facebook

