# native encryption of zfs



## quanquan (Apr 4, 2019)

I run make in "/usr/ports/sysutils/zol-kmod", then get ERROR : 
" needs FreeBSD 12/13 with AES-CCM support. "


----------



## SirDice (Apr 4, 2019)

You need a recent 12-STABLE or 13-CURRENT. It will not work on 12.0-RELEASE as it is missing required kernel features.


----------



## quanquan (Apr 4, 2019)

SirDice said:


> You need a recent 12-STABLE or 13-CURRENT. It will not work on 12.0-RELEASE as it is missing required kernel features.



 #  freebsd-update -r 13.0-CURRENT upgrade
Looking up update.tw.freebsd.org mirrors... none found.


----------



## SirDice (Apr 4, 2019)

freebsd-update(8) only works on -RELEASE versions. 

Besides that, -CURRENT is unsupported: Topics about unsupported FreeBSD versions


----------



## quanquan (Apr 4, 2019)

SirDice said:


> You need a recent 12-STABLE or 13-CURRENT. It will not work on 12.0-RELEASE as it is missing required kernel features.


root@daemon:~ # freebsd-update -r 13.0-CURRENT upgrade
Looking up update.tw.freebsd.org mirrors... none found.
Fetching metadata signature for 12.0-RELEASE from update.tw.freebsd.org... done.
Fetching metadata index... done.
Fetching 1 metadata patches. done.
Applying metadata patches... done.
Inspecting system... done.

The following components of FreeBSD seem to be installed:
kernel/generic kernel/generic-dbg src/src world/base world/base-dbg
world/doc world/lib32 world/lib32-dbg

The following components of FreeBSD do not seem to be installed:

Does this look reasonable (y/n)? n


haha, i will have a try with a vmware guest, not on my laptop


----------



## quanquan (Apr 4, 2019)

SirDice said:


> freebsd-update(8) only works on -RELEASE versions.
> 
> Besides that, -CURRENT is unsupported: Topics about unsupported FreeBSD versions



if i failed, i will get a CentOS to make this ZFS, maybe i do not have the ability to use 13-CURRENT


----------



## hukadan (Apr 4, 2019)

If you have to chose between -CURRENT and -STABLE, chose -STABLE. With -STABLE, you can still use the official repository _and_ it is a supported version on this forum.


----------



## aht0 (Apr 4, 2019)

Just look up documentation about how to use 12-STABLE


----------



## quanquan (Apr 5, 2019)

hukadan said:


> If you have to chose between -CURRENT and -STABLE, chose -STABLE. With -STABLE, you can still use the official repository _and_ it is a supported version on this forum.


freebsd-update do not support "stable" and "current", i have to download the ISO image? right?


----------



## aht0 (Apr 5, 2019)

You can download STABLE sources, rebuild world/kernel on your current system. Documentation describes the process in full.
Or download most recent STABLE image and hope it's recent enough to contain the functionality you seek.


----------



## hukadan (Apr 5, 2019)

The instructions to use -SATBLE are : 
- for tracking -STABLE : https://www.freebsd.org/doc/handbook/current-stable.html#stable 
- for building world and kernel : https://www.freebsd.org/doc/handbook/makeworld.html 

To be honest, for building world and kernel, I use a simplified version detailed here : http://www.wonkity.com/~wblock/docs/html/buildworld.html . It has never failed me so far.


----------



## quanquan (Apr 5, 2019)

hukadan said:


> The instructions to use -SATBLE are :
> - for tracking -STABLE : https://www.freebsd.org/doc/handbook/current-stable.html#stable
> - for building world and kernel : https://www.freebsd.org/doc/handbook/makeworld.html
> 
> To be honest, for building world and kernel, I use a simplified version detailed here : http://www.wonkity.com/~wblock/docs/html/buildworld.html . It has never failed me so far.


thanks very much, i will have a try, this will be very interesting


----------



## teisho (Jan 17, 2020)

/usr/ports/sysutils/zol-kmod does not exist in my 12-STABLE ports.
What is the best way to get ZFS encryption at the moment?

Edit: Nevermind! Got it sysutils/openzfs


----------



## inf3rno (Jun 23, 2020)

teisho said:


> /usr/ports/sysutils/zol-kmod does not exist in my 12-STABLE ports.
> What is the best way to get ZFS encryption at the moment?
> 
> Edit: Nevermind! Got it sysutils/openzfs



Looks like somebody published the OpenZFS Kernel module: sysutils/openzfs-kmod. So in theory we can do full disk encryption with ZFS native encryption too. At least I hope so. I'll try it out.


----------



## SirDice (Jun 23, 2020)

```
root@molly:/usr/ports # grep zol-kmod MOVED
sysutils/zol-kmod|sysutils/openzfs-kmod|2019-06-11|Renamed to match upstream changes
```

It's the same port as sysutils/zol-kmod, it's been renamed to sysutils/openzfs-kmod.


----------



## rootbert (Jun 23, 2020)

I can highly recommend using a setup with encrypted geli + FreeBSDs native ZFS ... the performance is by far better than encrypted-openzfs. I mean, really by far!


----------



## inf3rno (Jun 23, 2020)

rootbert said:


> I can highly recommend using a setup with encrypted geli + FreeBSDs native ZFS ... the performance is by far better than encrypted-openzfs. I mean, really by far!


Can you write more details?


----------



## rootbert (Jun 23, 2020)

I am currently doing *loads* of benchmarks, the tests are by far not finished and I will publish the results as soon as I have managed to go through all the data and prepare a nice article. However, to grab a random result from my completed tests: FreeBSD geli (blocksize 4096, aes-xts with keysize 128) + native ZFS with ashift=12: READ: 72.2MiB/s, WRITE: 18.1MiB/s from a random-read-write test with 80% read requests, on a 4core AMD machine with 8GB RAM + SSD. Same machine, same test, but with openzfs-kmod, encrypted with aes-128-ccm, ashift=12, gets only 6324KiB/s READ and 1585KiB/s WRITE.


----------



## inf3rno (Jun 23, 2020)

rootbert said:


> I am currently doing *loads* of benchmarks, the tests are by far not finished and I will publish the results as soon as I have managed to go through all the data and prepare a nice article. However, to grab a random result from my completed tests: FreeBSD geli (blocksize 4096, aes-xts with keysize 128) + native ZFS with ashift=12: READ: 72.2MiB/s, WRITE: 18.1MiB/s from a random-read-write test with 80% read requests, on a 4core AMD machine with 8GB RAM + SSD. Same machine, same test, but with openzfs-kmod, encrypted with aes-128-ccm, ashift=12, gets only 6324KiB/s READ and 1585KiB/s WRITE.


Are you sure that it is only the encryption that slows it down? I'll give it a try too, but I am working on something else now. It has to wait a few days.


----------



## rootbert (Jun 23, 2020)

I don't think it is the crypto stuff only ... I think openzfs-kmod has some performance issues - it is much slower than the one shipped with the base system.


----------



## inf3rno (Jun 24, 2020)

rootbert said:


> I don't think it is the crypto stuff only ... I think openzfs-kmod has some performance issues - it is much slower than the one shipped with the base system.


Maybe it would be better to send a bug report too when you are done.


----------



## rootbert (Jun 24, 2020)

yes thats what I intend to do, the performance for non-sequential action seems really abnormally bad.


----------



## inf3rno (Jun 30, 2020)

rootbert said:


> yes thats what I intend to do, the performance for non-sequential action seems really abnormally bad.


Can you link the bug report? I'd like to follow it.


----------



## rootbert (Jul 1, 2020)

My notebook with the ssd tests finished yesterday. The system with HDDs still has quite some time to go (all the combinations of 1-disk/2-disk/3-disk zfs configurations generate an awful number of tests, additionally on HDDs they take significantly longer). Here is the link: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247690


----------

