Editing Encryption

Jump to: navigation, search

Warning: You are not logged in.

Your IP address will be recorded in this page's edit history.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
 +
== Using OSX AES-XTS encryption along with ZFS ==
  
Encryption is now native to ZFS, and it is recommended to use that for greater flexibility and compatibility. See below. However, the core storage documentation will remain here for those who prefer that method.
+
While work is made on ZFS 30, we have an obvious solution to ZFS encryption already at hand: AES-XTS (10.7+ Full Disk Encryption in FileVault2).
 +
This is the equivalent of the following methods for other OS's: e.g. FreeBSD/geli, and Linux/LUKS.
  
== Native ZFS Encryption ==
+
The overall procedure is as follows: with an existing or fresh HFS+ disk apply full disk encryption. this will create a logical volume (when unlocked/decrypted) which in turn is used (repeat: the new logical volume) to create a ZFS pool.
  
On a zpool that supports encryption, encryption may be enabled as follows:
+
=== PREREQUISITES ===
 +
Build ZFS from source: [[Install#Installing_from_source]], or wait for the next installer, [[Downloads]], newer than 1.2.0 (for explanation, see original IRC chat).
  
<code># zpool set feature@encryption=enabled [pool]</code>
+
=== Caveat ===
 +
As noted in [[Suppressing_the_annoying_popup]], you will receive a pop-up claiming the disk isn't readable by this computer.
 +
This is a well documented problem, see the article above. It does however lead to one step which can be confusing: when decrypting the disk (e.g. on startup), the "bug" will make OSX believe the disk wasn't decrypted, and thus "wiggle" and present the prompt again.
  
On an zpool that supports encryption, an encrypted zfs dataset may be created as follows:
+
Take it on faith that once you've decrypted the disk, you can safely close the dialog box (with Cancel). You can verify this with your pools availability.
 
+
<code># zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase [dataset]</code>
+
 
+
This will prompt for the encryption passphrase for this zfs dataset.  Other options for the location of the encryption key and its format can be found in the zfs(1M) manpage.
+
 
+
An encrypted zfs dataset may be mounted as follows:
+
 
+
<code># zfs mount -l [dataset]</code>
+
 
+
This will prompt for the encryption passphrase for this zfs dataset and mount the encrypted dataset; it will not mount any child datasets of the encrypted dataset, but they will be accessible as subdirectories of the encrypted dataset.  If the encryption passphrase is stored in the Keychain as a generic password under the name of the dataset, security(1) may be used to retrieve the passphrase as follows:
+
 
+
<code># security find-generic-password -a [dataset] -w | zfs mount -l [dataset]</code>
+
 
+
One common use case for an encrypted volume is a portable backup drive.  Typically the user will create snapshots on the source drive in the computer, and then transmit them to the portable drive using zfs send and receive.  In this scenario it is helpful if the destination dataset on the portable drive is read only, since then there is no need to roll back the destination dataset on the fly to the last valid snapshot.  To make this work with encryption, place the destination dataset as a child dataset of the encrypted dataset in the zpool of the portable drive; because it is a child of the encrypted dataset it, too, will be encrypted.  More importantly, it can be made read-only, whereas it appears that the encrypted parent dataset cannot be read-only (probably so that the key can be stored locally in the parent dataset).
+
 
+
Additional helpful information about zfs encryption can be found in the [https://blog.heckel.xyz/2017/01/08/zfs-encryption-openzfs-zfs-on-linux/ How-To: Using ZFS Encryption at Rest in OpenZFS (ZFS on Linux, ZFS on FreeBSD, …)].
+
 
+
== Core Storage (File Vault 2) ==
+
 
+
Although the upstream OpenZFS project lists [http://open-zfs.org/wiki/Projects#Platform_agnostic_encryption_support platform-agnostic encryption support] at the ZFS dataset level as a possible future enhancement, OS X already offers a feature called [http://support.apple.com/kb/ht4790 FileVault 2], which provides built-in support for XTS-AES 128 encryption at the block level as part of Core Storage volume management.
+
 
+
This is the OS X analogue of the following block-level encryption systems on other operating systems that support ZFS:
+
* FreeBSD: geli
+
* Linux: LUKS
+
 
+
The overall procedure is, as follows: convert an empty HFS+ partition to use Core Storage and apply Core Storage encryption. Then use the Core Storage Logical Volume as a device in your zpool by supplying it to "zpool create," "zpool add," "zpool attach," etc.
+
 
+
=== Prerequisites ===
+
Build ZFS [[Install#Installing_from_source|from source]], or wait for the [[Downloads|next installer]], newer than 1.2.0 (for explanation, see original IRC chat).
+
 
+
=== Caveats ===
+
You may receive a pop-up claiming the disk isn't readable by this computer. This leads to one step that can be confusing: when unlocking the disk (e.g., on startup), the "bug" will make OS X believe the disk wasn't unlocked, and thus "wiggle," presenting the prompt again.
+
 
+
Assuming you entered your password correctly, the encrypted volume should now be unlocked, despite the misleading wiggle, and you can safely close the dialog box by clicking "Cancel." You'll know for sure the volume is unlocked when you proceed to import your pool, or you can check directly by looking for <code>Encryption Status: Unlocked</code> in the output of <code>diskutil coreStorage list</code>.
+
  
 
=== Steps ===
 
=== Steps ===
Line 59: Line 30:
 
     2:                  Apple_HFS Internal HD            999.9 GB  disk1s2
 
     2:                  Apple_HFS Internal HD            999.9 GB  disk1s2
  
We note that disk1s2 is the partition to be encrypted, and we convert it to Core Storage (think LVM), to enable encryption:
+
We note that disk1s2 is the partition to be encrypted, and we convert it to CoreStorage (think LVM), to enable encryption:
  
  #  diskutil coreStorage convert /dev/disk1s2
+
  #  diskutil corestorage convert /dev/disk1s2
 
  Started CoreStorage operation on disk1s2 Internal HD
 
  Started CoreStorage operation on disk1s2 Internal HD
 
  Resizing disk to fit Core Storage headers
 
  Resizing disk to fit Core Storage headers
Line 75: Line 46:
 
  Finished CoreStorage operation on disk1s2 Internal HD
 
  Finished CoreStorage operation on disk1s2 Internal HD
  
Note that we converted the existing unencrypted HFS+ partition.
+
Note that we converted the existing unencrypted HFS partition.
  
 
Next, we encrypt the logical volume, our Core Storage disk, disk2:
 
Next, we encrypt the logical volume, our Core Storage disk, disk2:
  
:'''Note: If you choose to use diskutil to do the encryption, it will default to the most secure option, which will take a VERY long time with large disks, optionally use the Disk Util UI and set it up as an encrypted HFS+ volume and under advanced change to least secure (good for new disks)'''
+
  # diskutil corestorage encryptVolume /dev/disk2
 
+
  # diskutil coreStorage encryptVolume /dev/disk2
+
 
  New passphrase for existing volume:
 
  New passphrase for existing volume:
 
  Confirm new passphrase:
 
  Confirm new passphrase:
Line 93: Line 62:
  
 
This can and will take a while to complete. You can check the status by issuing:
 
This can and will take a while to complete. You can check the status by issuing:
  # diskutil coreStorage list | grep Conversion
+
  # diskutil cs list | grep "Conversion Progress"
 
+
Until it's done: "Conversion Progress: -none-"
Until it's done:
+
Conversion Status:  Complete
+
Conversion Progress: -none-
+
  
 
Your partition layout should now look like:
 
Your partition layout should now look like:
Line 117: Line 83:
 
     0:                  Apple_HFS                        *999.5 GB  disk2
 
     0:                  Apple_HFS                        *999.5 GB  disk2
  
disk2 being our encrypted, unlocked HFS+ device. If you have yet to be prompted for the passphrase by OS X, now would be a good time to restart your Mac and try it out.
+
disk2 being our encrypted, unlocked HFS device. If you have yet to be prompted for the passphrase by OS X, now would be a good time to restart your Mac and try it out.
  
 
Lastly, we'll prepare the volume for ZFS, by unmounting /dev/disk2:
 
Lastly, we'll prepare the volume for ZFS, by unmounting /dev/disk2:
Line 124: Line 90:
 
  ...
 
  ...
 
  /dev/disk2 on /Volumes/Internal HD (hfs, local, journaled)
 
  /dev/disk2 on /Volumes/Internal HD (hfs, local, journaled)
  # diskutil unmount "/Volumes/Internal HD"
+
  # umount "/Volumes/Internal HD"
  
You can now follow the article on [[Zpool#Creating_a_pool|creating a pool]]. As a simple example, you might
+
You can now proceed with [[Zpool#Creating_a_pool]] or standard ZFS manuals.
  
<syntaxhighlight lang="text">
+
=== For illustration purpose ===
 
  # zpool list
 
  # zpool list
 
  no pools available
 
  no pools available
Line 134: Line 100:
 
  # zpool list
 
  # zpool list
 
  ZFS_VOLUME    928G  20.8G  907G    2%  1.00x  ONLINE  -
 
  ZFS_VOLUME    928G  20.8G  907G    2%  1.00x  ONLINE  -
</syntaxhighlight>
 
  
Also note that you '''don't''' need to worry about changing the partition type in this case to ZFS as described in the [[Suppressing_the_annoying_pop-up|Suppressing the annoying pop-up]] wiki page.
 
  
=== Reason to "use latest" ===
+
 
<syntaxhighlight lang="text">
+
== Reason for "use latest" ==
<ilovezfs> If you want encryption you have a few options
+
This commit is potentially vital:
<ilovezfs> https://github.com/zfsrogue/osx-zfs-crypto
+
e795742 ilovezfs: Make the check for Core Storage LV more forgiving.
<lundman> :)
+
 
<ilovezfs> or you can do what cbreak said, and use an encrypted sparsebundle
+
=== Original IRC chat ===
<ilovezfs> (I'd give it its own ZFS file system)
+
[14:07] < ilovezfs_> if you want encryption you have a few options
<ilovezfs> or you can create a ZVOL, and put an encrypted Core Storage/Filevault 2 HFS+
+
[14:07] < ilovezfs_> https://github.com/zfsrogue/osx-zfs-crypto
          file system on it
+
[14:07] < lundman> :)
<ilovezfs> or you can put the pool itself on top of Core Storage.
+
[14:08] < ilovezfs_> or you can do what cbreak-work said, and use an encrypted sparsebundle
<ilovezfs> The last option you should not do with the installer version.
+
[14:08] < ilovezfs_> (I'd give it its own zfs file system)
<ilovezfs> But wait for the next installer if that's the route you want to go
+
[14:08] < ilovezfs_> or you can create a zvol, and put an encrypted CoreStorage/Filevault2 HFS+ file system on it
<ilovezfs> or build from source.
+
[14:09] < ilovezfs_> or you can put the pool itself on top of CoreStorage
<aandy>   Ah, interesting. Does FileVault 2 require HFS+? Not that it'd surprise me.
+
[14:09] < ilovezfs_> The last option you should not do with the installer version.
<ilovezfs> No it does not.
+
[14:10] < ilovezfs_> But wait for the next installer if that's the route you want to go
<ilovezfs> But it is not possible to set other Content Hints
+
[14:10] < ilovezfs_> or build from source.
<ilovezfs> so it will always say HFS+ even if you do put ZFS on your logical volumes.
+
[14:10] < aandy> ah, interesting. does filevault2 require hfs+? not that it'd surprise me
<ilovezfs> So basically the procedure is to format the volume HFS+.
+
[14:11] < ilovezfs_> no it does not
<ilovezfs> Then run 'diskutil coreStorage convert' on it.
+
[14:11] < ilovezfs_> but it is not possible to set other Content Hints
<ilovezfs> Then you can encrypt it.
+
[14:11] < ilovezfs_> so it will always say HFS+ even if you do put ZFS on your logical volumes
<ilovezfs> Then you unmount the HFS+
+
-
<ilovezfs> and zpool create on the logical volume.
+
[14:13] < ilovezfs_> aandy: so basically the procedure is to format the volume HFS+
<ilovezfs> And you should be good to go.
+
[14:13] *** ottmarklaas [~ottmarkla@cpe-67-248-51-197.nycap.res.rr.com] has quit [Quit: ottmarklaas]
<aandy>   On the original HFS+ partition, right?
+
[14:13] < ilovezfs_> aandy: then run 'diskutil corestorage convert' on it
<ilovezfs> Right.
+
[14:13] < ilovezfs_> then you can encrypt it
<ilovezfs> But I'd encrypt first
+
[14:14] < ilovezfs_> then you unmount the HFS+
<ilovezfs> then put ZFS on it.
+
[14:14] < ilovezfs_> and zpool create on the logical volume.
<aandy>   Right. Perfect.
+
[14:14] < ilovezfs_> And you should be good to go.
<ilovezfs> diskutil coreStorage convert ...
+
[14:14] < aandy> on the original HFS+ partition, right?
<ilovezfs> diskutil coreStorage encryptVolume ...
+
[14:14] < ilovezfs_> right
<ilovezfs> etc.
+
[14:14] < ilovezfs_> but id encrypt first
<ilovezfs> The reason not to use the installer version, is that it will attempt to
+
[14:14] < ilovezfs_> then put zfs on
          partition the Core Storage Logical Volume.
+
[14:14] < aandy> right. perfect
<ilovezfs> But since 10.8.5 and after, Apple doesn't like that
+
[14:15] < ilovezfs_> diskutil cs convert...
<ilovezfs> so we added new code to detect Core Storage and not partition if it sees it's
+
[14:15] < ilovezfs_> diskutil cs encryptVolume ...
          Core Storage.
+
[14:15] < ilovezfs_> etc.
</syntaxhighlight>
+
[14:16] < ilovezfs_> The reason not to use the installer version, is that it will attempt to partition the Core Storage Logical Volume.
 +
[14:16] < ilovezfs_> But since 10.8.5 and after, Apple doesn't like that.
 +
[14:16] < ilovezfs_> So we added new code to detect Core Storage and not partition if it sees it's Core Storage.
 +
 
 +
== Time Machine Backups ==
 +
As a follow-up, here's one approach to using ZFS for your Time Machine Backups:
 +
 
 +
While it has been discussed in heated arguments, e.g. https://github.com/openzfsonosx/zfs/issues/66, I still believe there's at least one ZFS feature I'd like to test with Time Machine: compression.
 +
 
 +
The hypothesis being:
 +
a HFS+ sparse bundle stored on a compressed (gzip, lz4), deduped dataset should
 +
yield a compression ratio > 1.0.
 +
(previously observed 1.4 with compression=on, dedup=off, FreeBSD network Time Machine drives).
 +
 
 +
To work around compatible disks for Time Machine, we create a HFS+ bundle, store it on ZFS and set the mounted image as a backup destination, no "TMShowUnsupportedNetworkVolumes" needed.
 +
 
 +
1. Create, and mount, a sparse bundle from your zfs filesystem, e.g. with makeImage.sh
 +
2. Set your sparse bundle as the (active) backup destination # tmutil setdestination -a /Volumes/Time\ Machine\ Backups

Please note that all contributions to OpenZFS on OS X may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see OpenZFS on OS X:Copyrights for details). Do not submit copyrighted work without permission!

Cancel | Editing help (opens in new window)