Image of the glider from the Game of Life by John Conway
Skip to content
{ 2012 08 21 }

Encrypted ZFS Filesystems On Linux

This is just a quick post about getting a fully kernel-space encrypted ZFS filesystem setup with GNU/Linux, while still keeping all the benefits of what ZFS offers. Rather than using dmcrypt and LUKS, which would bypass a lot of the features ZFS brings to the table, encryptfs is our ticket. The reason this is so elegant, is because Oracle has not released the source code to ZFS after version 28. Version 32 contains the code to create native ZFS encrypted filesystems. So, we need to rely on a 3rd party utility.

First, create your ZPOOL:

# zpool create rpool raidz1 sdb sdc sdd sde sdf

Then create your ZFS filesystem:

# zfs create rpool/private

Lastly, install the ecryptfs software, and make the encrypted filesystem by mounting it, and follow the prompts:

# mount -t ecryptfs /rpool/private /rpool/private
Select key type to use for newly created files: 
 1) tspi
 2) passphrase
Selection: 2
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [53aad9b192678a8a]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=53aad9b192678a8a
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=53aad9b192678a8a
Mounted eCryptfs

Notice that I enabled filename encryption, as I don't want anyone getting any of my USB drives to decipher what I'm trying to hide. This will mount the encrypted filesystem "on top" of the ZFS filesystem, allowing you to keep all the COW and error correcting goodness, while keeping your data 100% safe:

# mount | grep rpool
rpool on /pool type zfs (rw,relatime,xattr)
rpool/private on /rpool/private type zfs (rw,relatime,xattr)
/rpool/private on /rpool/private type ecryptfs (rw,relatime,ecryptfs_fnek_sig...(snip))

Works like a charm.

Posted by Aaron Toponce on Tuesday, August 21, 2012, at 4:29 pm. Filed under Cryptology, Linux, Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. For IM, Email or Microblogs, here is the Shortlink.

{ 21 } Comments