OSNews

Hmm - I am using UFS on FreeNAS 8 still... but yeah, I don't remember seeing any encryption settings.

Besides the lack of a torrent client now (which apparently they will add as a plugin soon), my other major annoyance with FreeNAS 8 is that it cannot be installed to the same disk that you use for storage any longer. That was a feature I liked about FreeNAS 0.7 With FreeNAS 8 I have to use a USB stick to boot it, and it's noticeably slower to start up. There are other advantages to using the USB stick, however, so I'm not too upset about it.

I hope that FreeNAS 8 has lots of potential once the new "plugin" features start getting used.

Your beef is really that it is not done yet FreeNAS 8 is a bit like KDE 4. iXsystems is really quite amazing, but they cannot work at warp speed. I bet a pony this new FreeNAS will have the whole kitchen sink this year.

(like KDE 4 in that it shipped missing basic stuff, not that it will take forever to catch up)

I thought the encryption code was already out, but what do I know, not as much as him apparently.

ZFS encryption is a relatively new feature even on Solaris (in fact I wasn't even aware Oracle had released that versions source already).

FreeBSD's current ZFS version (v15?) doesn't even support raidz3 and deduping, which was released quite some time back, so it certainly wouldn't be recent enough to support encryption.

Well, yes and no - FreeBSD-CURRENT (which will eventually be released as the 9.x branch) has had v28 since January. The stable branches (7.x and 8.x) are still on v15, though.

I have no idea when they'll import v30, but I expect it'll happen eventually. Alternatively, it's possible to combine ZFS with e.g. GELI to get an encrypted FreeBSD system today - so if they have enough man-hours, they can add that to FreeNAS instead of waiting.

Well yes, but you'd be insane to run FreeBSD-CURRENT on a production storage array anyway, so your point is moot.


I didn't know about GELI. Thank you

Not quite - it shows that it's already in there and just waiting for 9 to mature enough for a release. As of right now, it's quite stable - there are people using it in not-entirely-critical production, including me. (I've got a ZFS mirror with dedup and compression on a lab fileserver. It's just for working copies, but I honestly trust it more than how we store the reference copies.)


I think someone needs to make a "nice FreeBSD features you might not know about"-list.
(I'd thrown in HAST as well - I don't use it, but I'd like to.)

Edited 2011-06-09 15:06 UTC

We already know that's the case though. The opening poster (who I was originally replying to) even stated this and it was also mentioned in the article.

The point was it's not in the STABLE branch now.


That's reassuring to hear.

I was adamant I wouldn't bother upgrading my FreeBSD NAS (Not FreeNAS - it's something I built myself) OS as it's running smoothly and - aside the ZFS array - all the other server services are running in VMs (which are kept up to date) hosted on the NAS.

However I might dd a backup image and attempt the upgrade after hearing of your success

[q]The point was it's not in the STABLE branch now.

It is as of 2011-06-06!!

Mh, I was just reacting to "currently, FreeBSD doesn't even have ..." - more of a sub-ideal formulation than a completely wrong statement, anyway.

And yeh, it was really quite un-dramatic. I already had CURRENT on it, and all it took was building+installing world+kernel, and a zpool upgrade.

What's definitely left is setting up NFSv4 and using the AD server for authentication ... but that'll have to wait for a chunk of spare time. At current estimates, that'll be in 2015.

ZFSv28 was merged to FreeBSD 8-STABLE this week.

Encrypted volumes protect your data if someone gets physical access to your hardware so I understand why someone would want this on laptops and home computers and things that could be stolen.

What is the benefit of encryption on production NAS systems? Would it just slow things down?

Piece of mind if you get burgled or (if you've got something to hide) raided by the police.

It's a lot easier to decommission an HD if it's encrypted - you just remove the encryption key, and the data is effectively "scrambled".

A good example is a failed HD - depending on how the disk fails, you may not be able to erase it with zeros, but someone with the proper facilities can still recover the data off it.

If the HD is in an external enclosure (like an external eSATA or USB device), having someone walk off with it is always a possibility as well.

Erasing a disk is time consuming - so being able to simply destroy the encryption key is awfully convenient in many situations (as mentioned in the situation of a police raid - one could just yank the bootable USB key from a FreeNAS box and destroy it rendering the HD contents useless).

Edit: per your performance question, I suspect the network latency/bandwidth is a larger impact when using a NAS. With read/write caching (including read-ahead) and enough RAM, you shouldn't notice much performance impact on block-level encryption. A fast CPU should already do the trick.

Edited 2011-06-09 18:55 UTC

But if the disk is out of order anyway, can't you simply mechanically destroy it with a hammer ? Sounds enough to permanently destroy regular data ^^

There is some performance penalty for encryption, unless you have an Intel CPU that has AES-NI. Most of the laptops have it now, and a good number of the desktop CPUs have it. It seems to remove most of the performance penalty for encryption.

If you run Truecrypt and have an AES-NI processor (only Intel has them right now) then you can also make use of the acceleration.

I haven't used FreeNAS yet, but can't you maually create GELI-based "disks", then use those to create the pool?

That's the current method of supporting enc in ZFS on FreeBSD.

ZFS enc is part of ZFSv31 which is only available in Oracle Solaris 11 Express.

They said encryption in on the table for 8.1

Edit:

Apparently... future release.

Edited 2011-06-10 04:08 UTC

With new AMD CPUs (for example Asus E35M1-I fanless) in Chenbro ES34069 case and 2 x 2TB Western Digital Caviar Green power consumption is ~35-38 Watts, same as Synology or QNAP.

In all honesty, if you want to make use of ZFS then you're looking at a minimum spec of x86_64 CPU + 2GB RAM.

If low powered is essential, then you really need to be looking at something like Debian running on ARM.

Edited 2011-06-09 11:56 UTC