Do I need to encrypt ALL of my drives?

All your general support questions for OpenZFS on OS X.

Do I need to encrypt ALL of my drives?

Postby Tsur » Tue Jan 12, 2016 7:25 pm

So encryption is important to me, but as I'm sitting here waiting for CoreStorage to finish encrypting the first drive I'm becoming pretty frustrated and bored. I started pondering ways to speed up the process and thought, "Do I really NEED to encrypt ALL of my drives?"

I have six 4TB drives that I'll use in a raidz2. Unless my logic is completely off, or if there's a problem mixing unencrypted drives with encrypted drives, don't I really only need to encrypt three of the six drives for my data to be effectively encrypted? I'm also thinking, that in addition to saving some setup time, it'd be less ongoing hassle and might improve performance.

Thoughts?
Tsur
 
Posts: 22
Joined: Thu Jan 07, 2016 2:11 pm

Re: Do I need to encrypt ALL of my drives?

Postby tangent » Thu Jan 14, 2016 2:41 am

as I'm sitting here waiting for CoreStorage to finish encrypting the first drive


I assume you're following the wiki's Encryption guide?

It shouldn't take but a few seconds per disk to set that up. There's a bit in that article about watching for encryption to complete, but you don't actually need to wait for that. The encryption is happening in the background, and any blocks written to the corestorage volume will be transparently encrypted while that happens. You can even reboot while it happens; the process will resume when the OS comes back up.

a problem mixing unencrypted drives with encrypted drives


I haven't tried it, but I assume a corestorage volume is slightly smaller than the raw disk, owing to partitioning and LVM overheads. So, if you mix volume types, the only immediate consequence should be that it won't use the last few kB of your raw disks.

don't I really only need to encrypt three of the six drives for my data to be effectively encrypted?


I don't see how you made that leap. Encrypting half of the volumes means that half of the data stored will be encrypted, and half won't. Since any given file will likely have blocks on all six disks, this does mean that someone looking only at the unencrypted volumes can probably only recover half of each file, but that may be all an attacker needs.

Consider also that with raidz2, every block actually appears three times in the system, but on different disks. So, an encrypted block on one disk might possibly be reconstructed from the plaintext parity information on one of the three unencrypted disks.

So no, your plan won't work.

it'd be less ongoing hassle


Security is always opposed to convenience. Always.

might improve performance


CoreStorage uses the CPU's AES encryption support. Overhead should be negligible.

The only performance worry I'd predict is that it's possible that CoreStorage's buffering could put your data at risk in a crash for the same reason that write caching on a RAID controller will.

You can take that as a "game over" scenario from the start, or you can instead say, "Well, I'd better have a backup, then!"

That's the single biggest problem with storage arrays: if you think you need a 6-drive array, you actually need *two* 6-drive arrays, one to back the other up.
tangent
 
Posts: 47
Joined: Tue Nov 11, 2014 6:58 pm

Re: Do I need to encrypt ALL of my drives?

Postby goingzfs » Thu Jan 14, 2016 9:12 am

tangent wrote:osx.org/wiki/Encryption]the wiki's Encryption guide[/url]?

It shouldn't take but a few seconds per disk to set that up. There's a bit in that article about watching for encryption to complete, but you don't actually need to wait for that. The encryption is happening in the background, and any blocks written to the corestorage volume will be transparently encrypted while that happens. You can even reboot while it happens; the process will resume when the OS comes back up.

If the intent is to create a fresh pool on the encrypted logical volume, then it doesn't make a lot of sense to me to have it encrypt every bit and byte on the disk ahead of time, as those will be initially unused and filling an entire drive with data takes a long time.

Here's what I found: In Disk Utility, under the "Erase" tab of any given partition, you can select any option with encryption and proceed to erase the partition. This will set up an encrypted CoreStorage logical volume group for you without encrypting all the data on the partition beforehand.

Then:
Code: Select all
# diskutil coreStorage list

... should output something like this for your disk:
Code: Select all
Encryption Type:         AES-XTS
Conversion Status:       Complete
Conversion Direction:    -none-


The rest of the guide is good.
goingzfs
 
Posts: 4
Joined: Thu Jan 14, 2016 8:29 am

Re: Do I need to encrypt ALL of my drives?

Postby Tsur » Thu Jan 14, 2016 10:55 am

tangent wrote:It shouldn't take but a few seconds per disk to set that up. There's a bit in that article about watching for encryption to complete, but you don't actually need to wait for that. The encryption is happening in the background, and any blocks written to the corestorage volume will be transparently encrypted while that happens.


Yeah, I was waiting for it to complete. Each drive was taking over 24 hours. Good to know. Thanks.
Tsur
 
Posts: 22
Joined: Thu Jan 07, 2016 2:11 pm

Re: Do I need to encrypt ALL of my drives?

Postby Tsur » Fri Jan 22, 2016 12:49 am

tangent wrote:There's a bit in that article about watching for encryption to complete, but you don't actually need to wait for that.


After a few days of experimentation, I've come to believe that while it's probably true that you don't absolutely need to wait, you probably should wait.

Without waiting for the encryption to finish, in 10.9.5, this bug:
You may receive a pop-up claiming the disk isn't readable by this computer. This leads to one step that can be confusing: when unlocking the disk (e.g., on startup), the "bug" will make OS X believe the disk wasn't unlocked, and thus "wiggle," presenting the prompt again.

Assuming you entered your password correctly, the encrypted volume should now be unlocked, despite the misleading wiggle, and you can safely close the dialog box by clicking "Cancel."


…became much more annoying. For some reason, not waiting for the encryption to finish before creating a pool, strips the names of the disks in the dialogue box. The prompt asks you to enter the the password for disk " ". Depending on the number of disks you have, and your naming/password scheme, not knowing the hard drive name can make entering passwords mildly annoying to very frustrating.

I suspect that the disks names might reappear in the dialogue box after the encryption finishes. But after many frustrating attempts of guessing which disk I was entering a password for, I gave up, restarted the process, and decided to let the encryption finish before creating a pool.

I also discovered that Core Storage encryption is limited by thread count. So, on an i3, it would only encrypt four of my seven drives. Luckily I had another Mac and moved three drives over to speed along the process. Four terabyte drives take right around 28 hours to finish encrypting.

A tip for anyone else dealing with many drives and the password "wiggle" bug. It's much easier to just hit "cancel" when the finder asks for your password(s). Then open up Disk Utility and enter the passwords - it gives you a visual so you know you're entering the password(s) correctly.

Another tip, I'm convinced that, at least in 10.9.5, the Mac actually must be restarted before Core Storage starts processing the encryption command(s). I know it seems weird, but in the past week or so I've encrypted many drives and each time nothing happened until I restarted. At the very least, diskutil corestorage doesn't report any progress until a restart occurs.

Don't know how many people are using Core Storage encryption with OpenZFS, but I hope these observations come in handy for someone else.
Tsur
 
Posts: 22
Joined: Thu Jan 07, 2016 2:11 pm

Re: Do I need to encrypt ALL of my drives?

Postby goingzfs » Fri Jan 22, 2016 10:45 am

Tsur wrote:A tip for anyone else dealing with many drives and the password "wiggle" bug. It's much easier to just hit "cancel" when the finder asks for your password(s). Then open up Disk Utility and enter the passwords - it gives you a visual so you know you're entering the password(s) correctly.

The "wiggle" quirk no longer appears to me after upgrading to OS X 10.11 and using the latest version (1.4.5) of O3X.
goingzfs
 
Posts: 4
Joined: Thu Jan 14, 2016 8:29 am


Return to General Help

Who is online

Users browsing this forum: Google [Bot] and 28 guests