Native Encryption for ZFS on Linux is here!

You heard right!

Click here to read about the github commit

Tom Caputi has signed off on the patch for encryption in ZFS on Linux!  The part that really caught my eye reads:

The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being

That’s excellent!  So, you’ll be able to replicate encrypted data to another site for redundancy/DR purposes while utilizing the original encryption scheme and keys.  No need to manage keys on each device!

Now to get this (and previous builds for hole_birth fixes) incorporated into Ubuntu repositories…

If you’re not familiar with this topic at all, check out this great video highlighting how it works:

Some people have called attention to the fact that some ZFS metadata is not encrypted.  This caused some stirring in the stands on various ZoL boards, etc.  The reality is that the data that is not encrypted is pretty trivial and or impossible to encrypt.  These data include:

  • Dataset/Snapshot names
  • Dataset properties (ala zfs get information)
  • Pool layout
  • ZFS structure
  • Deduplication tables (though we all know the implications of using this)
  • Everything in RAM

So really, the metadata not encrypted will not result in anyone reading your actual data!

Great job to Tom and the rest of the ZoL team – appreciate all your hard work.

Author: Jon

Share This Post On


  1. It’s worth noting that “here” is possibly a bit optimistic: the changes are merged into master, but haven’t been included in a released version as yet (because all released versions since the merge have been based on the zfs-0.7-release branch, to which the changes haven’t been merged). Only development builds have this feature as yet.

    Post a Reply
  2. Has anyone done any work on entropy usage in non-dedup mode?

    Post a Reply
  3. Yes, really excited about this indeed! Keep up the good work!

    Post a Reply
  4. Jon, let Tom know that many people are excited by this addition. I am in the process of setting up a test server for this very purpose, getting experience with native OpenZFS encryption.

    In someways, a project like this needs an advocate / primary coder. Thank you Tom. Some parts of OpenZFS like new checksum algorythms can be quickly added. But, native encryption needed someone to work the issue forward and backward, (with outside review when wanted or needed). I’ve been in software development, and at times it’s easier to do much of the work myself.

    Now I just have to work with native OpenZFS encryption enough to feel comfortable with it, (on non-production data.)

    Post a Reply
    • I agree! I am glad Tom has stepped up to the plate which, of course, Datto appreciates, too! I started to build the latest source to experiment with but got sidetracked. I am anxious to play with native encryption!

      Post a Reply
  5. I sit next to tom and have watched him build encryption into zfs for the past year or so. I don’t think he gets the appreciation he deserves for all the amazing work he’s done here.

    Post a Reply
    • Let him know! I’ve chatted with him a few times via email (I call it chatting, hopefully he doesn’t call it bugging) – definitely appreciate all the work that goes into this stuff!

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.