You heard right!
Tom Caputi has signed off on the patch for encryption in ZFS on Linux! The part that really caught my eye reads:
The last addition is the ability to do raw, encrypted
sends and receives. The idea here is to send raw
encrypted and compressed data and receive it exactly
as is on a backup system. This means that the dataset
on the receiving system is protected using the same
user key that is in use on the sending side. By doing
so, datasets can be efficiently backed up to an
untrusted system without fear of data being
That’s excellent! So, you’ll be able to replicate encrypted data to another site for redundancy/DR purposes while utilizing the original encryption scheme and keys. No need to manage keys on each device!
Now to get this (and previous builds for hole_birth fixes) incorporated into Ubuntu repositories…
If you’re not familiar with this topic at all, check out this great video highlighting how it works:
Some people have called attention to the fact that some ZFS metadata is not encrypted. This caused some stirring in the stands on various ZoL boards, etc. The reality is that the data that is not encrypted is pretty trivial and or impossible to encrypt. These data include:
- Dataset/Snapshot names
- Dataset properties (ala zfs get information)
- Pool layout
- ZFS structure
- Deduplication tables (though we all know the implications of using this)
- Everything in RAM
So really, the metadata not encrypted will not result in anyone reading your actual data!
Great job to Tom and the rest of the ZoL team – appreciate all your hard work.