Difference between revisions of "Encryption"

From OpenZFS on OS X
Jump to: navigation, search
Line 1: Line 1:
== Using OS X Core Storage encryption ==
+
== Core Storage encryption ==
  
 
Although upstream OpenZFS has a "project" to work on [http://open-zfs.org/wiki/Projects#Platform_agnostic_encryption_support platform-agnostic encryption support] at the ZFS dataset level, we have an obvious solution to block-level encryption already at hand: AES-XTS (Core Storage/FileVault 2).
 
Although upstream OpenZFS has a "project" to work on [http://open-zfs.org/wiki/Projects#Platform_agnostic_encryption_support platform-agnostic encryption support] at the ZFS dataset level, we have an obvious solution to block-level encryption already at hand: AES-XTS (Core Storage/FileVault 2).
Line 9: Line 9:
 
The overall procedure is, as follows: convert an empty HFS+ partition to use Core Storage and apply Core Storage encryption. Then use the Core Storage Logical Volume as a device in your zpool by supplying it to "zpool create," "zpool add," "zpool attach," etc.
 
The overall procedure is, as follows: convert an empty HFS+ partition to use Core Storage and apply Core Storage encryption. Then use the Core Storage Logical Volume as a device in your zpool by supplying it to "zpool create," "zpool add," "zpool attach," etc.
  
=== PREREQUISITES ===
+
=== Prerequisites ===
 
Build ZFS [[Install#Installing_from_source|from source]], or wait for the [[Downloads|next installer]], newer than 1.2.0 (for explanation, see original IRC chat).
 
Build ZFS [[Install#Installing_from_source|from source]], or wait for the [[Downloads|next installer]], newer than 1.2.0 (for explanation, see original IRC chat).
  
=== Caveat ===
+
=== Caveats ===
 
As noted in the article [[suppressing the annoying pop-up]], you will receive a pop-up claiming the disk isn't readable by this computer.
 
As noted in the article [[suppressing the annoying pop-up]], you will receive a pop-up claiming the disk isn't readable by this computer.
This is a well documented problem, see the article above. It does however lead to one step which can be confusing: when decrypting the disk (e.g. on startup), the "bug" will make OS X believe the disk wasn't decrypted, and thus "wiggle" and present the prompt again.
+
This is a well documented problem, see the article above. It does however lead to one step that can be confusing: when unlocking the disk (e.g. on startup), the "bug" will make OS X believe the disk wasn't unlocked, and thus "wiggle," presenting the prompt again.
  
Take it on faith that once you've decrypted the disk, you can safely close the dialog box (with Cancel). You can verify this with your pools availability.
+
Take it on faith that once you've unlocked the disk, you can safely close the dialog box (with "Cancel"). You can verify this with your pool's availability.
  
 
=== Steps ===
 
=== Steps ===
Line 65: Line 65:
  
 
This can and will take a while to complete. You can check the status by issuing:
 
This can and will take a while to complete. You can check the status by issuing:
  # diskutil cs list | grep "Conversion Progress"
+
  # diskutil coreStorage list | grep "Conversion Progress"
  
 
Until it's done:
 
Until it's done:
Line 95: Line 95:
 
  ...
 
  ...
 
  /dev/disk2 on /Volumes/Internal HD (hfs, local, journaled)
 
  /dev/disk2 on /Volumes/Internal HD (hfs, local, journaled)
  # umount "/Volumes/Internal HD"
+
  # diskutil unmount "/Volumes/Internal HD"
  
 
You can now proceed with [[Zpool#Creating_a_pool]] or standard ZFS manuals.
 
You can now proceed with [[Zpool#Creating_a_pool]] or standard ZFS manuals.
Line 108: Line 108:
  
  
== Reason for "use latest" ==
+
=== Reason for "use latest" ===
 
This commit is potentially vital:
 
This commit is potentially vital:
 
e795742 ilovezfs: Make the check for Core Storage LV more forgiving.
 
e795742 ilovezfs: Make the check for Core Storage LV more forgiving.
  
=== Original IRC chat ===
+
  <ilovezfs> if you want encryption you have a few options
  [14:07] < ilovezfs_> if you want encryption you have a few options
+
  <ilovezfs> https://github.com/zfsrogue/osx-zfs-crypto
  [14:07] < ilovezfs_> https://github.com/zfsrogue/osx-zfs-crypto
+
  <lundman> :)
  [14:07] < lundman> :)
+
  <ilovezfs> or you can do what cbreak said, and use an encrypted sparsebundle
  [14:08] < ilovezfs_> or you can do what cbreak-work said, and use an encrypted sparsebundle
+
  <ilovezfs> (I'd give it its own ZFS file system)
  [14:08] < ilovezfs_> (I'd give it its own zfs file system)
+
  <ilovezfs> or you can create a ZVOL, and put an encrypted Core Storage/Filevault2 HFS+ file system on it
  [14:08] < ilovezfs_> or you can create a zvol, and put an encrypted CoreStorage/Filevault2 HFS+ file system on it
+
  <ilovezfs> or you can put the pool itself on top of Core Storage
  [14:09] < ilovezfs_> or you can put the pool itself on top of CoreStorage
+
  <ilovezfs> The last option you should not do with the installer version.
  [14:09] < ilovezfs_> The last option you should not do with the installer version.
+
  <ilovezfs> But wait for the next installer if that's the route you want to go
  [14:10] < ilovezfs_> But wait for the next installer if that's the route you want to go
+
  <ilovezfs> or build from source.
  [14:10] < ilovezfs_> or build from source.
+
  <aandy> ah, interesting. does filevault2 require hfs+? not that it'd surprise me
  [14:10] < aandy> ah, interesting. does filevault2 require hfs+? not that it'd surprise me
+
  <ilovezfs> no it does not
  [14:11] < ilovezfs_> no it does not
+
  <ilovezfs> but it is not possible to set other Content Hints
  [14:11] < ilovezfs_> but it is not possible to set other Content Hints
+
  <ilovezfs> so it will always say HFS+ even if you do put ZFS on your logical volumes
  [14:11] < ilovezfs_> so it will always say HFS+ even if you do put ZFS on your logical volumes
+
  <ilovezfs> aandy: so basically the procedure is to format the volume HFS+
  -
+
  <ilovezfs> aandy: then run 'diskutil coreStorage convert' on it
[14:13] < ilovezfs_> aandy: so basically the procedure is to format the volume HFS+
+
  <ilovezfs> then you can encrypt it
  [14:13] *** ottmarklaas [~ottmarkla@cpe-67-248-51-197.nycap.res.rr.com] has quit [Quit: ottmarklaas]
+
  <ilovezfs> then you unmount the HFS+
[14:13] < ilovezfs_> aandy: then run 'diskutil corestorage convert' on it
+
  <ilovezfs> and zpool create on the logical volume.
  [14:13] < ilovezfs_> then you can encrypt it
+
  <ilovezfs> And you should be good to go.
  [14:14] < ilovezfs_> then you unmount the HFS+
+
  <aandy> on the original HFS+ partition, right?
  [14:14] < ilovezfs_> and zpool create on the logical volume.
+
  <ilovezfs> right
  [14:14] < ilovezfs_> And you should be good to go.
+
  <ilovezfs> but I'd encrypt first
  [14:14] < aandy> on the original HFS+ partition, right?
+
  <ilovezfs> then put ZFS on it
  [14:14] < ilovezfs_> right
+
  <aandy> right. perfect
  [14:14] < ilovezfs_> but id encrypt first
+
  <ilovezfs> diskutil coreStorage convert...
  [14:14] < ilovezfs_> then put zfs on
+
  <ilovezfs> diskutil coreStorage encryptVolume ...
  [14:14] < aandy> right. perfect
+
  <ilovezfs> etc.
  [14:15] < ilovezfs_> diskutil cs convert...
+
  <ilovezfs> The reason not to use the installer version, is that it will attempt to partition the Core Storage Logical Volume.
  [14:15] < ilovezfs_> diskutil cs encryptVolume ...
+
  <ilovezfs> But since 10.8.5 and after, Apple doesn't like that.
  [14:15] < ilovezfs_> etc.
+
  <ilovezfs> So we added new code to detect Core Storage and not partition if it sees it's Core Storage.
  [14:16] < ilovezfs_> The reason not to use the installer version, is that it will attempt to partition the Core Storage Logical Volume.
+
  [14:16] < ilovezfs_> But since 10.8.5 and after, Apple doesn't like that.
+
  [14:16] < ilovezfs_> So we added new code to detect Core Storage and not partition if it sees it's Core Storage.
+
  
== Time Machine Backups ==
+
=== Time Machine backups ===
 
As a follow-up, here's one approach to using ZFS for your Time Machine Backups:
 
As a follow-up, here's one approach to using ZFS for your Time Machine Backups:
  
Line 153: Line 150:
  
 
The hypothesis being:
 
The hypothesis being:
a HFS+ sparse bundle stored on a compressed (gzip, lz4), deduped dataset should
+
an HFS+ sparsebundle stored on a compressed (gzip, lz4), deduped dataset should
yield a compression ratio > 1.0.
+
yield a compression ratio > 1.0.
(previously observed 1.4 with compression=on, dedup=off, FreeBSD network Time Machine drives).
+
(previously observed 1.4 with compression=on, dedup=off, FreeBSD network Time Machine drives).
  
To work around compatible disks for Time Machine, we create a HFS+ bundle, store it on ZFS and set the mounted image as a backup destination, no "TMShowUnsupportedNetworkVolumes" needed.
+
To work around compatible disks for Time Machine, we create an HFS+ bundle, store it on ZFS and set the mounted image as a backup destination, no "TMShowUnsupportedNetworkVolumes" needed.
  
 
1. Create, and mount, a sparse bundle from your zfs filesystem, e.g. with makeImage.sh
 
1. Create, and mount, a sparse bundle from your zfs filesystem, e.g. with makeImage.sh
  
 
2. Set your sparse bundle as the (active) backup destination # tmutil setdestination -a /Volumes/Time\ Machine\ Backups
 
2. Set your sparse bundle as the (active) backup destination # tmutil setdestination -a /Volumes/Time\ Machine\ Backups

Revision as of 17:18, 7 May 2014

Core Storage encryption

Although upstream OpenZFS has a "project" to work on platform-agnostic encryption support at the ZFS dataset level, we have an obvious solution to block-level encryption already at hand: AES-XTS (Core Storage/FileVault 2).

This is the OS X analogue of the following block-level encryption systems on other operating systems that support ZFS:

  • FreeBSD: geli
  • Linux: LUKS

The overall procedure is, as follows: convert an empty HFS+ partition to use Core Storage and apply Core Storage encryption. Then use the Core Storage Logical Volume as a device in your zpool by supplying it to "zpool create," "zpool add," "zpool attach," etc.

Prerequisites

Build ZFS from source, or wait for the next installer, newer than 1.2.0 (for explanation, see original IRC chat).

Caveats

As noted in the article suppressing the annoying pop-up, you will receive a pop-up claiming the disk isn't readable by this computer. This is a well documented problem, see the article above. It does however lead to one step that can be confusing: when unlocking the disk (e.g. on startup), the "bug" will make OS X believe the disk wasn't unlocked, and thus "wiggle," presenting the prompt again.

Take it on faith that once you've unlocked the disk, you can safely close the dialog box (with "Cancel"). You can verify this with your pool's availability.

Steps

The initial layout, with disk1 being the external disk (counter-intuitively named "Internal HD") intended as encrypted ZFS device.

# diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *160.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            159.7 GB   disk0s2
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk1
   1:                        EFI EFI                     209.7 MB   disk1s1
   2:                  Apple_HFS Internal HD             999.9 GB   disk1s2

We note that disk1s2 is the partition to be encrypted, and we convert it to CoreStorage (think LVM), to enable encryption:

#  diskutil corestorage convert /dev/disk1s2
Started CoreStorage operation on disk1s2 Internal HD
Resizing disk to fit Core Storage headers
Creating Core Storage Logical Volume Group
Attempting to unmount disk1s2
Switching disk1s2 to Core Storage
Waiting for Logical Volume to appear
Mounting Logical Volume
Core Storage LVG UUID: 4690972A-484E-42E2-B72D-933A58E41237
Core Storage PV UUID: 22A1A783-01BA-4ABA-B4A3-2A9146506519
Core Storage LV UUID: F6D16BFE-B6E9-4A9B-BC03-E5CD03772C44
Core Storage disk: disk2
Finished CoreStorage operation on disk1s2 Internal HD

Note that we converted the existing unencrypted HFS partition.

Next, we encrypt the logical volume, our Core Storage disk, disk2:

# diskutil corestorage encryptVolume /dev/disk2
New passphrase for existing volume:
Confirm new passphrase:
The Core Storage Logical Volume UUID is F6D16BFE-B6E9-4A9B-BC03-E5CD03772C44
Started CoreStorage operation on disk2 Internal HD
Scheduling encryption of Core Storage Logical Volume
Core Storage LV UUID: F6D16BFE-B6E9-4A9B-BC03-E5CD03772C44
Finished CoreStorage operation on disk2 Internal HD

Note that we used disk2, the logical volume, not disk1s2.

This can and will take a while to complete. You can check the status by issuing:

# diskutil coreStorage list | grep "Conversion Progress"

Until it's done:

Conversion Progress: -none-

Your partition layout should now look like:

# diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *160.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            159.7 GB   disk0s2
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *1.0 TB     disk1
   1:                        EFI EFI                     209.7 MB   disk1s1
   2:          Apple_CoreStorage                         999.9 GB   disk1s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS                        *999.5 GB   disk2

disk2 being our encrypted, unlocked HFS device. If you have yet to be prompted for the passphrase by OS X, now would be a good time to restart your Mac and try it out.

Lastly, we'll prepare the volume for ZFS, by unmounting /dev/disk2:

# mount
...
/dev/disk2 on /Volumes/Internal HD (hfs, local, journaled)
# diskutil unmount "/Volumes/Internal HD"

You can now proceed with Zpool#Creating_a_pool or standard ZFS manuals.

For illustration purpose

# zpool list
no pools available
# zpool create -f -o ashift=12 ZFS_VOLUME /dev/disk2
# zpool list
ZFS_VOLUME    928G  20.8G   907G     2%  1.00x  ONLINE  -


Reason for "use latest"

This commit is potentially vital: e795742 ilovezfs: Make the check for Core Storage LV more forgiving.

<ilovezfs> if you want encryption you have a few options
<ilovezfs> https://github.com/zfsrogue/osx-zfs-crypto
<lundman> :)
<ilovezfs> or you can do what cbreak said, and use an encrypted sparsebundle
<ilovezfs> (I'd give it its own ZFS file system)
<ilovezfs> or you can create a ZVOL, and put an encrypted Core Storage/Filevault2 HFS+ file system on it
<ilovezfs> or you can put the pool itself on top of Core Storage
<ilovezfs> The last option you should not do with the installer version.
<ilovezfs> But wait for the next installer if that's the route you want to go
<ilovezfs> or build from source.
<aandy> ah, interesting. does filevault2 require hfs+? not that it'd surprise me
<ilovezfs> no it does not
<ilovezfs> but it is not possible to set other Content Hints
<ilovezfs> so it will always say HFS+ even if you do put ZFS on your logical volumes
<ilovezfs> aandy: so basically the procedure is to format the volume HFS+
<ilovezfs> aandy: then run 'diskutil coreStorage convert' on it
<ilovezfs> then you can encrypt it
<ilovezfs> then you unmount the HFS+
<ilovezfs> and zpool create on the logical volume.
<ilovezfs> And you should be good to go.
<aandy> on the original HFS+ partition, right?
<ilovezfs> right
<ilovezfs> but I'd encrypt first
<ilovezfs> then put ZFS on it
<aandy> right. perfect
<ilovezfs> diskutil coreStorage convert...
<ilovezfs> diskutil coreStorage encryptVolume ...
<ilovezfs> etc.
<ilovezfs> The reason not to use the installer version, is that it will attempt to partition the Core Storage Logical Volume.
<ilovezfs> But since 10.8.5 and after, Apple doesn't like that.
<ilovezfs> So we added new code to detect Core Storage and not partition if it sees it's Core Storage.

Time Machine backups

As a follow-up, here's one approach to using ZFS for your Time Machine Backups:

While it has been discussed in heated arguments, e.g. https://github.com/openzfsonosx/zfs/issues/66, I still believe there's at least one ZFS feature I'd like to test with Time Machine: compression.

The hypothesis being: an HFS+ sparsebundle stored on a compressed (gzip, lz4), deduped dataset should yield a compression ratio > 1.0. (previously observed 1.4 with compression=on, dedup=off, FreeBSD network Time Machine drives).

To work around compatible disks for Time Machine, we create an HFS+ bundle, store it on ZFS and set the mounted image as a backup destination, no "TMShowUnsupportedNetworkVolumes" needed.

1. Create, and mount, a sparse bundle from your zfs filesystem, e.g. with makeImage.sh

2. Set your sparse bundle as the (active) backup destination # tmutil setdestination -a /Volumes/Time\ Machine\ Backups