[pve-devel] ZFS encryption

Fabian Grünbichler f.gruenbichler at proxmox.com
Wed Apr 4 09:45:48 CEST 2018


On Tue, Apr 03, 2018 at 08:45:59PM +0200, Andreas Steinel wrote:
> Hi everyone,
> 
> are you (Proxmox staff) actively testing encrypted ZFS or are you
> waiting for the upstream "activation"?

if you are talking about upstream's native encryption, then AFAIK none
of us are testing that (yet). it's not part of any ZoL release (only the
development branch), and it has shown in the past few months that not
including it in 0.7 was the right choice for sure (1 issue requiring a
backwards incompatible on-disk format change, several that completely
broke send/recv in certain scenarios).

it will most likely be part of 0.8, and if that gets cut in time for PVE
6 we will surely take a closer look again when we start preparing for
that.

do you have specific use cases in mind?

Grub does not currently support the ZoL encryption, and I am not sure if
and when it will get support. that means it would probably not work out
of the box for the root dataset (unless we switch to a completely
different boot approach, which does not seem very likely at the moment).
it is per dataset though, so encrypting the guest datasets should be
possible without much hassle.

(I do use ZoL on top of LUKS as / on a few systems without any problems,
but it requires manually bootstrapping the system and a bit of fiddling
to get all the parts to play nice with eachother ;))




More information about the pve-devel mailing list