# ZoL - Native ZFS encryption is not so comprehensive as GELI



## T-Daemon (Sep 13, 2020)

From freebsd-hackers@:



			ZFS encryption and loader
		


```
Eugene Grosbein eugen at grosbein.net
Sun Sep 13 01:38:21 UTC 2020

....
Recently I've learned from one of ZoL maintainers that native
ZFS encryption is not so comprehensive as GELI.

I've been told that native ZFS encryption was initially designed for one specific task:
being able to receive encrypted customer data (backups), verify its integrity without decryption,
store and then receive incremental backups later. Therefore, not all data is hidden with encryption,
for example, dataset names and some other metadata are not.
```

Background on Eugene Grosbein:








						New committer: Eugene Grosbein (src)
					

Continue reading...




					forums.freebsd.org
				











						Contributors to FreeBSD
					

A list of organizations and individuals who have contributed to FreeBSD




					www.freebsd.org


----------



## Deleted member 63822 (Sep 13, 2020)

NetBSD ZFS encryption using cgd: https://rubenerd.com/encrypted-zfs-on-netbsd-9-for-a-freebsd-guy/

It's stupid to abandon GELI and go for native ZFS encryption. Haha.


----------



## forquare (Sep 13, 2020)

Is this not a question of requirements?  A bank vault is more comprehensive than your wallet, but I bet you keep (or have kept) amounts of money in your wallet - I remember walking a few thousand pounds in my wallet between two banks a number of years ago because transferring it electronically would have taken several days.

If you don't require dataset names or some other metadata to be encrypted, having encrypted ZFS happens to give a convenient way to


> receive encrypted customer data (backups), verify its integrity without decryption, store and then receive incremental backups later.


Which I don't believe GELI does allow you to do?


----------



## usdmatt (Sep 13, 2020)

ZFS encryption works very well and serves exactly the purpose it was supposed to. Note that it was developed by a commercial business who wanted to be able to encrypt customers' on-premises data, but also use block level send to backup that data in the cloud.

ZFS metadata is not encrypted, which includes things like record checksums, compression type, etc (and obviously basic pool layout). However all file metadata is basically just data as far as ZFS is concerned, so directory paths, filenames, permissions, etc are encrypted.

This provides many benefits for people using ZFS for user data, storage can be encrypted but still allow administrators to back it up, replace failed drives, do scrubs, etc.

I have no problem with GELI of course, it's a brilliant generic block-device encryption tool. So if your browser history or a few personal files are of such national importance that you worry about state sponsored hackers managing to glean a bit of information from ZFS metadata, use GELI, or take the tin foil hat off.


----------

