zfsrogue / zfs-crypto Goto Github PK

ZFS On Linux with crypto patches

License: Other

Shell 3.22% Python 0.92% C 94.87% Awk 0.01% C++ 0.33% Assembly 0.35% Perl 0.31%

zfs-crypto's Introduction

Welcome to the unofficial zfs-crypto branch.

To make it clear, this branch has nothing to do with Sun, Oracle, ZFSOnLinux, OpenSolaris, IllumOS, OpenIndiana, SmartOS, FreeBSD etc.

If you run a legacy pool version=30, this branch will let you import and upgrade your pool to the standard pool version=5000, and it will set feature@encryption for any filesystem using encryption.

It is to aid those who happen to use zfs-crypto with pool version=30 for the short window that it was available. Before the feature@ pool version became standard, or when importing pools from Solaris.

There are new files,

zcrypt.c zcrypt.h zio_crypt.c zio_crypt.h dsl_crypto.c dsl_crypto.h libzfs_crypto.c zcrypt_common.c

which are kept "as is" as much as possible, including (possibly irrelevant) headers.

The crypto/api/ header files are from OpenSolaris.

The crypto/api implementation is brand new, and supports "bare minimum" features as needed by ZFS only.

Current support is in BETA.

Importing a Solaris pool can be done using: Solaris: zpool create -o version=30 -O version=5 thepool $devices... Solaris: zfs create -o encryption=aes-256-ccm thepool/secure Linux: zpool import -N thepool Linux: zpool upgrade thepool Linux: zfs mount thepool/secure

MACs are in use, but compute_mac() is empty, not called?
All "// FIXME" should be inspected. In particular, known areas which differ are PROP_ALIAS, PROP_INHERIT, crypto vs userquota,
Removed KEY method pkcs11.

Example 1: Ask for password.

# zfs create -o encryption=aes-256-gcm mypool/BOOM
  Enter passphrase for 'mypool/BOOM':
  Enter again:
  kernel: [11266.250594] spl-crypto: Cipher test 'CKM_AES_CCM' -> 'sun-ccm(aes)' successful.
# zfs list
  NAME          USED  AVAIL  REFER  MOUNTPOINT
  mypool        142K   984M    31K  /mypool
  mypool/BOOM    31K   984M    31K  /mypool/BOOM

# zpool get all mypool

mypool  feature@async_destroy  enabled                local
mypool  feature@encryption     active                 local

Example 2: Using a raw key file

# dd if=/dev/urandom bs=32 count=1 > /out.key
1+0 records in
1+0 records out
32 bytes (32 B) copied, 4.6033e-05 s, 695 kB/s
# zfs create -o encryption=aes-256-gcm -o keysource=raw,file://`pwd`/out.key mypool/BOOM
# zfs get mountpoint,checksum,compression,copies,dedup,encryption,keysource,keystatus mypool/BOOM
NAME         PROPERTY     VALUE                SOURCE
mypool/BOOM  mountpoint   /mypool/BOOM         default
mypool/BOOM  checksum     sha256-mac           local
mypool/BOOM  compression  off                  default
mypool/BOOM  copies       1                    default
mypool/BOOM  dedup        off                  default
mypool/BOOM  encryption   aes-256-gcm          local
mypool/BOOM  keysource    raw,file:///out.key  local
mypool/BOOM  keystatus    available            -

Example 3: Using a hex key file

# dd if=/dev/urandom bs=32 count=1 | od -A n -v -t x1 | tr -d ' \n' > /out.key
1+0 records in
1+0 records out
32 bytes (32 B) copied, 1.2811e-05 s, 2.5 MB/s
# zfs create -o encryption=aes-256-gcm -o keysource=hex,file:///out.key mypool/BOOM

====================================================================== striped, unencrypted

$ tiotest -t8 -f 200 -d /striped_zpool/
Tiotest results for 8 concurrent io threads:
,----------------------------------------------------------------------.
| Item                  | Time     | Rate         | Usr CPU  | Sys CPU |
+-----------------------+----------+--------------+----------+---------+
| Write        1600 MBs |    3.2 s | 502.596 MB/s |  37.4 %  | 1290.1 % |
| Random Write   31 MBs |    0.3 s | 120.682 MB/s |   0.0 %  | 903.7 % |
| Read         1600 MBs |    0.3 s | 4682.758 MB/s | 222.4 %  | 5104.2 % |
| Random Read    31 MBs |    0.0 s | 4521.777 MB/s |   0.0 %  | 5787.9 % |
`----------------------------------------------------------------------'
Tiotest latency results:
,-------------------------------------------------------------------------.
| Item         | Average latency | Maximum latency | % >2 sec | % >10 sec |
+--------------+-----------------+-----------------+----------+-----------+
| Write        |        0.015 ms |        8.793 ms |  0.00000 |   0.00000 |
| Random Write |        0.026 ms |        7.953 ms |  0.00000 |   0.00000 |
| Read         |        0.006 ms |        9.339 ms |  0.00000 |   0.00000 |
| Random Read  |        0.007 ms |        0.030 ms |  0.00000 |   0.00000 |
|--------------+-----------------+-----------------+----------+-----------|
| Total        |        0.011 ms |        9.339 ms |  0.00000 |   0.00000 |
`--------------+-----------------+-----------------+----------+-----------'

====================================================================== zfs-crypt aes-256-ccm

$ tiotest -t8 -f 200 -d /striped_zpool/fs/
Tiotest results for 8 concurrent io threads:
,----------------------------------------------------------------------.
| Item                  | Time     | Rate         | Usr CPU  | Sys CPU |
+-----------------------+----------+--------------+----------+---------+
| Write        1600 MBs |    7.4 s | 216.343 MB/s |   5.4 %  | 742.1 % |
| Random Write   31 MBs |    0.2 s | 180.906 MB/s |  92.6 %  | 775.7 % |
| Read         1600 MBs |    0.3 s | 5341.238 MB/s |  73.4 %  | 6276.0 % |
| Random Read    31 MBs |    0.0 s | 4783.407 MB/s | 4898.2 %  | 1224.6 % |
`----------------------------------------------------------------------'
Tiotest latency results:
,-------------------------------------------------------------------------.
| Item         | Average latency | Maximum latency | % >2 sec | % >10 sec |
+--------------+-----------------+-----------------+----------+-----------+
| Write        |        0.026 ms |      835.720 ms |  0.00000 |   0.00000 |
| Random Write |        0.021 ms |        0.087 ms |  0.00000 |   0.00000 |
| Read         |        0.006 ms |        0.245 ms |  0.00000 |   0.00000 |
| Random Read  |        0.006 ms |        0.025 ms |  0.00000 |   0.00000 |
|--------------+-----------------+-----------------+----------+-----------|
| Total        |        0.016 ms |      835.720 ms |  0.00000 |   0.00000 |
`--------------+-----------------+-----------------+----------+-----------'

====================================================================== LUKS volumes with plain ZFS

dmcrypt/luks cipher/keysize: aes-xts-plain64, 512

tiotest -t 8 -f 200 -d /striped_crypt/
Tiotest results for 8 concurrent io threads:
,----------------------------------------------------------------------.
| Item                  | Time     | Rate         | Usr CPU  | Sys CPU |
+-----------------------+----------+--------------+----------+---------+
| Write        1600 MBs |    3.4 s | 477.243 MB/s |  11.9 %  | 1169.2 % |
| Random Write   31 MBs |    0.5 s |  68.848 MB/s |  52.9 %  | 332.7 % |
| Read         1600 MBs |    0.3 s | 4999.844 MB/s | 318.7 %  | 5899.8 % |
| Random Read    31 MBs |    0.0 s | 4510.030 MB/s | 5051.2 %  | 1154.6 % |
`----------------------------------------------------------------------'
Tiotest latency results:
,-------------------------------------------------------------------------.
| Item         | Average latency | Maximum latency | % >2 sec | % >10 sec |
+--------------+-----------------+-----------------+----------+-----------+
| Write        |        0.031 ms |       69.994 ms |  0.00000 |   0.00000 |
| Random Write |        0.066 ms |       35.496 ms |  0.00000 |   0.00000 |
| Read         |        0.006 ms |       15.828 ms |  0.00000 |   0.00000 |
| Random Read  |        0.007 ms |        0.030 ms |  0.00000 |   0.00000 |
|--------------+-----------------+-----------------+----------+-----------|
| Total        |        0.019 ms |       69.994 ms |  0.00000 |   0.00000 |
`--------------+-----------------+-----------------+----------+-----------'

dmcrypt/luks cipher/keysize: aes-cbc-essiv:sha256, 256

tiotest -t 8 -f 200 -d /striped_crypt/
Tiotest results for 8 concurrent io threads:
,----------------------------------------------------------------------.
| Item                  | Time     | Rate         | Usr CPU  | Sys CPU |
+-----------------------+----------+--------------+----------+---------+
| Write        1600 MBs |    3.4 s | 467.855 MB/s |  37.4 %  | 1121.4 % |
| Random Write   31 MBs |    0.3 s | 105.175 MB/s |  80.8 %  | 518.3 % |
| Read         1600 MBs |    0.3 s | 5061.753 MB/s | 126.5 %  | 6150.0 % |
| Random Read    31 MBs |    0.0 s | 4566.711 MB/s |   0.0 %  | 5845.4 % |
`----------------------------------------------------------------------'
Tiotest latency results:
,-------------------------------------------------------------------------.
| Item         | Average latency | Maximum latency | % >2 sec | % >10 sec |
+--------------+-----------------+-----------------+----------+-----------+
| Write        |        0.028 ms |       59.958 ms |  0.00000 |   0.00000 |
| Random Write |        0.070 ms |       27.873 ms |  0.00000 |   0.00000 |
| Read         |        0.006 ms |        0.168 ms |  0.00000 |   0.00000 |
| Random Read  |        0.007 ms |        0.030 ms |  0.00000 |   0.00000 |
|--------------+-----------------+-----------------+----------+-----------|
| Total        |        0.017 ms |       59.958 ms |  0.00000 |   0.00000 |
`--------------+-----------------+-----------------+----------+-----------'

zfs/rogue

zfs-crypto's People

Contributors

Stargazers

Watchers

Forkers

lundman fransurbo gnif captain cloudxtreme ubigg divekarsandy

zfs-crypto's Issues

zfs-crypto is far behind ZoL

I wanted to try the new libzfs_core code, but it breaks zfs-crypto. Tried to merge it myself, but it's a very, very big change and I'm unsure how to do it in some files.

openzfs/zfs#1496

~~Sooner or later (hopefully sooner :), someone with knowledge of the crypto stuff needs to take care of this, so I'm putting this issue as a 'heads up'.~~

UPDATE: This pull have now (September 4, 2013) been accepted into ZoL HEAD. But there have been huge amounts of work merging illumos fixes into ZoL (and more is in the pipeline). zfs-crypto is currently way behind in commits. Even the 0.6.3 branch which is the work branch for this.

keysource=passphrase,http://host/zfs.pass -> invalid keysource

I know this is currently disabled (I'm trying to fix this localy), but I just thought I'd enter a bug about it any way.

debianzfs-scst:~# zfs create -o encryption=aes-256-gcm -o keysource=passphrase,http://host/zfs.pass share/tests/crypto5
cannot create 'share/tests/crypto5': invalid keysource.

zfs key -c fails

I'm trying to move the encryption key for my new ZFS root dataset, but zfs hangs

celia(ZFSRoot):~# zfs get keysource share/celia.new
NAME             PROPERTY   VALUE                        SOURCE
share/celia.new  keysource  raw,file:///boot/.celia.key  local
celia(ZFSRoot):~# cp /boot/.celia.key /boot/zfs/.celia.key
celia(ZFSRoot):~# zfs key -c -o keysource="raw,file:///boot/zfs/.celia.key" share/celia.new
[hangs]

Gives:

[ 7212.393132] INFO: task txg_sync:1880 blocked for more than 120 seconds.
[ 7212.460308]       Tainted: P           O 3.12.0+scst+tf.1 #6
[ 7212.527402] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 7212.594371] txg_sync        D ffff8803f659c3c8     0  1880      2 0x00000000
[ 7212.594374]  ffff8803f659c000 0000000000000046 ffff8803f659c000 ffff88041d8c6000
[ 7212.594377]  0000000000014b00 ffff8803f65a3fd8 ffff8803f65a3fd8 ffff8803f659c000
[ 7212.594379]  ffff8800dc8e3bb8 0000000000cc72fd ffff8803ff6e7060 ffffffffa02c6374
[ 7212.594382] Call Trace:
[ 7212.594418]  [<ffffffffa02c6374>] ? dnode_setdirty+0x3f/0x140 [zfs]
[ 7212.594426]  [<ffffffffa01fdd42>] ? kmem_free_debug+0xc5/0x10d [spl]
[ 7212.594431]  [<ffffffffa02076cc>] ? cv_wait_common+0xcd/0x15c [spl]
[ 7212.594436]  [<ffffffff810658a1>] ? __init_waitqueue_head+0x25/0x25
[ 7212.594449]  [<ffffffffa02e0fcd>] ? rrw_enter_write+0x26/0x69 [zfs]
[ 7212.594464]  [<ffffffffa02e87bc>] ? spa_sync+0x5ea/0x930 [zfs]
[ 7212.594513]  [<ffffffffa02f5454>] ? txg_sync_thread+0x2ae/0x4d5 [zfs]
[ 7212.594527]  [<ffffffffa02f51a6>] ? txg_init+0x1b2/0x1b2 [zfs]
[ 7212.594533]  [<ffffffffa02011b0>] ? thread_generic_wrapper+0x6a/0x75 [spl]
[ 7212.594537]  [<ffffffffa0201146>] ? __thread_create+0x2d2/0x2d2 [spl]
[ 7212.594540]  [<ffffffff81064f4c>] ? kthread+0xad/0xb5
[ 7212.594542]  [<ffffffff81064e9f>] ? __init_kthread_worker+0x2d/0x2d
[ 7212.594544]  [<ffffffff813a294c>] ? ret_from_fork+0x7c/0xb0
[ 7212.594546]  [<ffffffff81064e9f>] ? __init_kthread_worker+0x2d/0x2d
[ 7212.594683] INFO: task zfs:25310 blocked for more than 120 seconds.
[ 7212.659975]       Tainted: P           O 3.12.0+scst+tf.1 #6
[ 7212.724271] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 7212.789206] zfs             D ffff8802db66c3c8     0 25310  31674 0x00000000
[ 7212.789209]  ffff8802db66c000 0000000000000086 ffff8803b77e07ce ffff88041d8c5000
[ 7212.789211]  0000000000014b00 ffff880279a7ffd8 ffff880279a7ffd8 ffff8802db66c000
[ 7212.789213]  ffff8803f776ffff ffffffffa02affff ffffffff8101819b ffffffffa0357b7c
[ 7212.789216] Call Trace:
[ 7212.789243]  [<ffffffffa02affff>] ? bpobj_enqueue+0x102/0x1ce [zfs]
[ 7212.789246]  [<ffffffff8101819b>] ? read_tsc+0x11/0x22
[ 7212.789254]  [<ffffffffa01fad9c>] ? spl_debug_msg+0x4c8/0x6a4 [spl]
[ 7212.789267]  [<ffffffffa02c933c>] ? dsl_crypto_key_change_find+0x262/0x262 [zfs]
[ 7212.789273]  [<ffffffffa02076cc>] ? cv_wait_common+0xcd/0x15c [spl]
[ 7212.789275]  [<ffffffff810658a1>] ? __init_waitqueue_head+0x25/0x25
[ 7212.789289]  [<ffffffffa02f4ad3>] ? txg_wait_synced+0x12f/0x15a [zfs]
[ 7212.789302]  [<ffffffffa02c90d7>] ? dsl_crypto_key_new_check+0x3/0x3 [zfs]
[ 7212.789315]  [<ffffffffa02db74c>] ? dsl_sync_task+0x1a1/0x1e5 [zfs]
[ 7212.789327]  [<ffffffffa02c90d7>] ? dsl_crypto_key_new_check+0x3/0x3 [zfs]
[ 7212.789390]  [<ffffffffa02c933c>] ? dsl_crypto_key_change_find+0x262/0x262 [zfs]
[ 7212.789402]  [<ffffffffa02c92e7>] ? dsl_crypto_key_change_find+0x20d/0x262 [zfs]
[ 7212.789414]  [<ffffffffa02c630f>] ? dnode_rele+0x37/0x5d [zfs]
[ 7212.789425]  [<ffffffffa02b8035>] ? dmu_buf_hold+0x140/0x1b9 [zfs]
[ 7212.789437]  [<ffffffffa02c90da>] ? dsl_crypto_key_change_check+0x3/0x3 [zfs]
[ 7212.789450]  [<ffffffffa0304a3b>] ? zap_lockdir+0x41a/0x6a2 [zfs]
[ 7212.789455]  [<ffffffff813a1d02>] ? _raw_spin_unlock+0x6/0x8
[ 7212.789460]  [<ffffffffa0208460>] ? tsd_hash_search+0xa3/0x15b [spl]
[ 7212.789471]  [<ffffffffa02c90da>] ? dsl_crypto_key_change_check+0x3/0x3 [zfs]
[ 7212.789484]  [<ffffffffa02c90da>] ? dsl_crypto_key_change_check+0x3/0x3 [zfs]
[ 7212.789520]  [<ffffffffa01fdd42>] ? kmem_free_debug+0xc5/0x10d [spl]
[ 7212.789532]  [<ffffffffa02c90da>] ? dsl_crypto_key_change_check+0x3/0x3 [zfs]
[ 7212.789544]  [<ffffffffa02c90da>] ? dsl_crypto_key_change_check+0x3/0x3 [zfs]
[ 7212.789556]  [<ffffffffa02c90da>] ? dsl_crypto_key_change_check+0x3/0x3 [zfs]
[ 7212.789567]  [<ffffffffa02bb33d>] ? dmu_objset_find_impl+0x2cc/0x2e2 [zfs]
[ 7212.789579]  [<ffffffffa02c90da>] ? dsl_crypto_key_change_check+0x3/0x3 [zfs]
[ 7212.789590]  [<ffffffffa02bb395>] ? dmu_objset_find+0x42/0x64 [zfs]
[ 7212.789602]  [<ffffffffa02c9ea1>] ? dsl_crypto_key_change+0x170/0x25d [zfs]
[ 7212.789616]  [<ffffffffa03151bf>] ? zfs_ioc_crypto_key_change+0x1b5/0x1df [zfs]
[ 7212.789629]  [<ffffffffa0317291>] ? zfsdev_ioctl+0x366/0x40f [zfs]
[ 7212.789641]  [<ffffffff8112724e>] ? vfs_ioctl+0x1e/0x31
[ 7212.789643]  [<ffffffff81127a31>] ? do_vfs_ioctl+0x3ba/0x3fc
[ 7212.789685]  [<ffffffff8111a3cc>] ? get_max_files+0x8/0x8
[ 7212.789686]  [<ffffffff8111a5c0>] ? __fput+0x1ca/0x1ec
[ 7212.789689]  [<ffffffff81130b18>] ? mntput_no_expire+0x17/0x12b
[ 7212.789695]  [<ffffffff81127ac1>] ? SyS_ioctl+0x4e/0x7d
[ 7212.789697]  [<ffffffff813a29f9>] ? system_call_fastpath+0x16/0x1b

Can't build packages

A normal make works just fine, but make deb fails (!!).

[....]
make[5]: Entering directory `/tmp/zfs-build-root-BOBAUazK/BUILD/zfs-0.6.3_linuxtracepoints_crypt/cmd/zed'
  CC     zed.o
  CC     zed_conf.o
  CC     zed_event.o
  CC     zed_exec.o
  CC     zed_file.o
  CC     zed_log.o
  CC     zed_strings.o
  CCLD   zed
../../lib/libzfs/.libs/libzfs.so: undefined reference to `pkcs11_read_data'
../../lib/libzfs/.libs/libzfs.so: undefined reference to `crypto_pass2key'
../../lib/libzfs/.libs/libzfs.so: undefined reference to `zio_crypt_table'
collect2: error: ld returned 1 exit status
[....]

Changing the place of libzfs.la and libspl.la fixes the first two failures:

diff --git a/cmd/zed/Makefile.am b/cmd/zed/Makefile.am
index f1404de..0857de9 100644
--- a/cmd/zed/Makefile.am
+++ b/cmd/zed/Makefile.am
@@ -25,8 +25,8 @@ zed_SOURCES = \
 zed_LDADD = \
        $(top_builddir)/lib/libavl/libavl.la \
        $(top_builddir)/lib/libnvpair/libnvpair.la \
-       $(top_builddir)/lib/libspl/libspl.la \
-       $(top_builddir)/lib/libzfs/libzfs.la
+       $(top_builddir)/lib/libzfs/libzfs.la \
+       $(top_builddir)/lib/libspl/libspl.la

 zedconfdir = $(sysconfdir)/zfs/zed.d

But I don't know how to fix the third. zio_crypt_table is defined in module/zcommon/zcrypt_common.c, but we can't link that into libzfs.a!

PS. I'm using spl/master and zfs/upstream-20140607.

Keysource file does not work - key can not be of zero size

debianzfs:/ZFS/debs# ll /root/.crypted
-r-------- 1 root root 31 2013-04-17 12:33 /root/.crypted
debianzfs:/ZFS/debs# cat /root/.crypted
1cv2ju9NTpWFeUUi1N12GDNuRJH41q
debianzfs:/ZFS/debs# zfs create -o encryption=aes-256-ccm -o keysource=passphrase,file:///root/.crypted share/tests/crypt2
cannot create 'share/tests/crypt2': key can not be of zero size
debianzfs:/ZFS/debs# zfs create -o encryption=on -o keysource=passphrase,file:///root/.crypted share/tests/crypt2
cannot create 'share/tests/crypt2': key can not be of zero size

zfs send/receive fails - cannot receive new filesystem stream: pool must be upgraded to receive this stream

SPL/ZFS v0.6.1+iscsi, latest git pull of zfs-crypto.
Kernel v3.9.0-rc6

The iSCSI part have been tested separately and there send/receive works...

After upgrading a non-crypto created pool to latest with '{zpool,zfs} upgrade -a' and then try to do a send from one pool to another, I get:

celia:~# zfs send share/VirtualMachines/Test1@20130421_0035 | zfs receive temp/Test1
cannot receive new filesystem stream: pool must be upgraded to receive this stream.

celia:~# zpool upgrade -a
This system supports ZFS pool feature flags.
All pools are already formatted using feature flags.
Every feature flags pool already has all supported features enabled.

celia:~# zfs upgrade -a
0 filesystems upgraded
556 filesystems already at this version

celia:~# zfs get all share/VirtualMachines/Test1
NAME                         PROPERTY              VALUE                  SOURCE
share/VirtualMachines/Test1  type                  volume                 -
share/VirtualMachines/Test1  creation              Sat Apr 20 22:56 2013  -
share/VirtualMachines/Test1  used                  17.7M                  -
share/VirtualMachines/Test1  available             2.94G                  -
share/VirtualMachines/Test1  referenced            17.7M                  -
share/VirtualMachines/Test1  compressratio         3.15x                  -
share/VirtualMachines/Test1  reservation           none                   default
share/VirtualMachines/Test1  volsize               15G                    local
share/VirtualMachines/Test1  volblocksize          4K                     -
share/VirtualMachines/Test1  checksum              on                     default
share/VirtualMachines/Test1  compression           on                     inherited from share/VirtualMachines
share/VirtualMachines/Test1  readonly              off                    default
share/VirtualMachines/Test1  copies                1                      default
share/VirtualMachines/Test1  refreservation        none                   default
share/VirtualMachines/Test1  primarycache          all                    default
share/VirtualMachines/Test1  secondarycache        all                    default
share/VirtualMachines/Test1  usedbysnapshots       0                      -
share/VirtualMachines/Test1  usedbydataset         17.7M                  -
share/VirtualMachines/Test1  usedbychildren        0                      -
share/VirtualMachines/Test1  usedbyrefreservation  0                      -
share/VirtualMachines/Test1  logbias               latency                default
share/VirtualMachines/Test1  dedup                 off                    default
share/VirtualMachines/Test1  mlslabel              none                   default
share/VirtualMachines/Test1  sync                  standard               default
share/VirtualMachines/Test1  encryption            off                    -
share/VirtualMachines/Test1  keysource             none                   default
share/VirtualMachines/Test1  keystatus             none                   -
share/VirtualMachines/Test1  rekeydate             -                      default
share/VirtualMachines/Test1  refcompressratio      3.15x                  -
share/VirtualMachines/Test1  written               0                      -
share/VirtualMachines/Test1  snapdev               hidden                 default
share/VirtualMachines/Test1  shareiscsi            off                    default

celia:~# zpool get all
NAME   PROPERTY               VALUE                  SOURCE
share  size                   20.3T                  -
share  capacity               97%                    -
share  altroot                -                      default
share  health                 ONLINE                 -
share  guid                   1764121063061799396    default
share  version                -                      default
share  bootfs                 -                      default
share  delegation             on                     default
share  autoreplace            off                    default
share  cachefile              -                      default
share  failmode               wait                   default
share  listsnapshots          off                    default
share  autoexpand             on                     local
share  dedupditto             0                      default
share  dedupratio             1.08x                  -
share  free                   505G                   -
share  allocated              19.8T                  -
share  readonly               off                    -
share  ashift                 12                     local
share  comment                -                      default
share  expandsize             16.0E                  -
share  freeing                0                      default
share  feature@async_destroy  enabled                local
share  feature@encryption     active                 local
share  feature@empty_bpobj    active                 local
share  feature@lz4_compress   active                 local
temp   size                   2.72T                  -
temp   capacity               0%                     -
temp   altroot                -                      default
temp   health                 ONLINE                 -
temp   guid                   17760845281157627585   default
temp   version                -                      default
temp   bootfs                 -                      default
temp   delegation             on                     default
temp   autoreplace            off                    default
temp   cachefile              -                      default
temp   failmode               wait                   default
temp   listsnapshots          off                    default
temp   autoexpand             on                     local
temp   dedupditto             0                      default
temp   dedupratio             1.00x                  -
temp   free                   2.72T                  -
temp   allocated              532K                   -
temp   readonly               off                    -
temp   ashift                 12                     local
temp   comment                -                      default
temp   expandsize             0                      -
temp   freeing                0                      default
temp   feature@async_destroy  enabled                local
temp   feature@encryption     enabled                local
temp   feature@empty_bpobj    enabled                local
temp   feature@lz4_compress   enabled                local

celia:~# zfs list temp 
NAME   USED  AVAIL  REFER  MOUNTPOINT
temp   532K  2.68T   136K  none

Crypto is not used (at the moment) on any of the pools, volumes or filesystems.

ZFS-Crypto is behind ZoL

Sorry for adding another one of these - just a heads up. The commit was done just a few minutes ago, but I'm having a problem with my pool/volumes/something and I'm pulling a couple times a day hoping something will fix it...

It's another Illumos commit - 'Illumos #4045 write throttle & i/o scheduler performance work' (openzfs/zfs@e8b96c6).

I'm trying to merge it myself, but there's so many things I don't understand about the inner workings of ZFS...

ZVOL inheritance does not work.

Reported by user Hadron;

ZVOL created as "tank/ZVOL" works as expected. However, when created as "tank/CRYPT/ZVOL" it fails.

It appears that the key should be inherited from tank/CRYPT, and ZFS thinks that it has, but in reality it is progressing without a key.

# zfs create -o encryption=on tank/CRYPT
Enter passphrase for 'mypool':
# zfs create -o encryption=on -V 500M tank/CRYPT/ZVOL
#

Note it did not ask for a key at this point, nor can you load a key as it is "already available".

Crypto support to OS X

I apologise for hi-jacking the ZOL crypto with this issue. But I was hoping you could do the crypto magic that you did for FreeBSD and ZOL, to the new OSX tree as well.

It is still quite experimental, so there is no immediate rush, perhaps sometime in July or later. I can assist with the OS X API calls as before.

https://github.com/zfs-osx

SPLError: 11346:0:(zio.c:792:zio_write())

Can't say for certain if this is a ZoL issue or ZFS-Crypto one (can't test without crypto since I have the encryption feature enable on my pool).

Trying to create a filesystem with DEBUG enabled on both spl and zfs gives:

Message from syslogd@Celia at Dec  6 13:26:19 ...
 kernel:[  225.960618] SPLError: 11346:0:(zio.c:792:zio_write()) ASSERTION(zp->zp_checksum >= ZIO_CHECKSUM_OFF && zp->zp_checksum < ZIO_CHECKSUM_FUNCTIONS && zp->zp_compress >= ZIO_COMPRESS_OFF && zp->zp_compress < ZIO_COMPRESS_FUNCTIONS && DMU_OT_IS_VALID(zp->zp_type) && zp->zp_crypt >= ZIO_CRYPT_OFF && zp->zp_crypt < ZIO_CRYPT_FUNCTIONS && zp->zp_type < DMU_OT_NUMTYPES && zp->zp_level < 32 && zp->zp_copies > 0 && zp->zp_copies <= spa_max_replication(spa)) failed

Message from syslogd@Celia at Dec  6 13:26:19 ...
 kernel:[  225.960943] SPLError: 11346:0:(zio.c:792:zio_write()) SPL PANIC

Doing a git blame on zio.c gives:

b128c09f zfs/lib/libzpool/zio.c (Brian Behlendorf  2008-12-03 12:09:06 -0800  782)      ASSERT(zp->zp_checksum >= ZIO_CHECKSUM_OFF &&
b128c09f zfs/lib/libzpool/zio.c (Brian Behlendorf  2008-12-03 12:09:06 -0800  783)          zp->zp_checksum < ZIO_CHECKSUM_FUNCTIONS &&
b128c09f zfs/lib/libzpool/zio.c (Brian Behlendorf  2008-12-03 12:09:06 -0800  784)          zp->zp_compress >= ZIO_COMPRESS_OFF &&
b128c09f zfs/lib/libzpool/zio.c (Brian Behlendorf  2008-12-03 12:09:06 -0800  785)          zp->zp_compress < ZIO_COMPRESS_FUNCTIONS &&
b4192bb9 module/zfs/zio.c       (Brian Behlendorf  2012-12-13 15:24:15 -0800  786)          DMU_OT_IS_VALID(zp->zp_type) &&
c5731b91 module/zfs/zio.c       (ZFS Rogue         2012-11-06 12:01:00 +0000  787)            zp->zp_crypt >= ZIO_CRYPT_OFF &&
c5731b91 module/zfs/zio.c       (ZFS Rogue         2012-11-06 12:01:00 +0000  788)            zp->zp_crypt < ZIO_CRYPT_FUNCTIONS &&
b128c09f zfs/lib/libzpool/zio.c (Brian Behlendorf  2008-12-03 12:09:06 -0800  789)          zp->zp_type < DMU_OT_NUMTYPES &&
b128c09f zfs/lib/libzpool/zio.c (Brian Behlendorf  2008-12-03 12:09:06 -0800  790)          zp->zp_level < 32 &&
428870ff module/zfs/zio.c       (Brian Behlendorf  2010-05-28 13:45:14 -0700  791)          zp->zp_copies > 0 &&
03c6040b module/zfs/zio.c       (George Wilson     2013-05-10 12:47:54 -0700  792)          zp->zp_copies <= spa_max_replication(spa));

Commit b128c09, b4192bb, 428870f are all ancient (Dec 3 2008, Dec 13 2012 and May 28 2010 respectivly), 03c6040 is quite new (May 10 2013) and then there's the zfs-crypto one...

After the SPLEerror, zfs hangs. Creating a filesystem without DEBUG enabled works (or did work a few days ago when I was running without it - have cherry-picked some commits since).

root ZFS on pool can not be encrypted

Not entirely sure why you would want to, but it is worth to note that it fails with:

# zpool create -f mypool -O encryption=on ~/src/pool-image.bin

Note it fails to ask for a key here, and pool is both available and unavailable at the same time.

# zfs get all mypool
mypool  encryption            on                     local
mypool  keysource            none                 local
mypool  keystatus             none                   -

Clearly keysource should not be none (so it is not set in the default case). Can not use "zfs key -l" to load key due to keysource setting.

# zpool create -f mypool -O encryption=on -O keysource=passphrase,prompt ~/src/pool-image.bin

Also does not ask for the key. Now we can load key, but;

# zfs key -l mypool
Enter passphrase for 'mypool': 
filesystem 'mypool' is already mounted
cannot mount 'mypool': Resource temporarily unavailable

Feb 18 09:31:51 zfsdev kernel: [  953.855703] VERIFY(key != NULL) failed
Feb 18 09:31:51 zfsdev kernel: [  953.855781] SPLError: 1944:0:(zio.c:1213:zio_write_bp_init()) SPL PANIC
Feb 18 09:31:51 zfsdev kernel: [  953.855781] VERIFY(key != NULL) failed
Feb 18 09:31:51 zfsdev kernel: [  953.855836] SPLError: 1943:0:(zio.c:1213:zio_write_bp_init()) SPL PANIC
Feb 18 09:31:51 zfsdev kernel: [  953.855837] SPL: Showing stack for process 1943
Feb 18 09:31:51 zfsdev kernel: [  953.855839] Pid: 1943, comm: z_wr_iss/0 Tainted: P           O 3.5.0-22-generic #34-Ubuntu
Feb 18 09:31:51 zfsdev kernel: [  953.855840] Call Trace:
Feb 18 09:31:51 zfsdev kernel: [  953.855853]  [<ffffffffa0152567>] spl_debug_dumpstack+0x27/0x40 [spl]
Feb 18 09:31:51 zfsdev kernel: [  953.855868]  [<ffffffffa015389f>] spl_debug_bug+0x7f/0xe0 [spl]
Feb 18 09:31:51 zfsdev kernel: [  953.855935]  [<ffffffffa03d3300>] zio_write_bp_init+0x890/0x8a0 [zfs]
Feb 18 09:31:51 zfsdev kernel: [  953.855972]  [<ffffffff8101257b>] ? __switch_to+0x12b/0x420
Feb 18 09:31:51 zfsdev kernel: [  953.855987]  [<ffffffff8168244f>] ? __schedule+0x3cf/0x7c0
Feb 18 09:31:51 zfsdev kernel: [  953.856009]  [<ffffffffa03d259a>] zio_execute+0xba/0x140 [zfs]
Feb 18 09:31:51 zfsdev kernel: [  953.856015]  [<ffffffffa015b8a7>] taskq_thread+0x237/0x4b0 [spl]
Feb 18 09:31:51 zfsdev kernel: [  953.856018]  [<ffffffff81083dba>] ? finish_task_switch+0x4a/0xf0
Feb 18 09:31:51 zfsdev kernel: [  953.856021]  [<ffffffff81087cc0>] ? try_to_wake_up+0x2a0/0x2a0

Will test if it works on Solaris.

Missing module dependency

UPDATE: This seems to be a missing module not being loaded automatically. See comment #28 (comment).
Previous issue title: dsl_crypto_key_create() => SPL PANIC

I get a SPL PANIC when trying to create a filesystem.

# zfs create -o compression=lz4 -o copies=2 -o dedup=on -o encryption=aes-256-gcm -o keysource=raw,file:///boot/zfs.key system/ROOT/debian
[  377.241515] VERIFY3(0 == dsl_crypto_key_create(dd, dsphys, dsobj, dcc, tx)) failed (0 == 4)
[  377.241636] SPLError: 6259:0:(dsl_dataset.c:840:dsl_dataset_create_sync_dd()) SPL PANIC

I first thought it was the combination of options, but after a reboot and trying again:

# zfs create -o encryption=aes-256-gcm -o keysource=raw,file:///boot/zfs.key system/ROOT/debian

gave me the same error. Just for completness:

# zfs create -o encryption=on system/ROOT/debian
[....]

naturally worked :(

BUT, and this might be a hint:

# zfs create -o encryption=aes-256-gcm system/ROOT/debian
[....]
cannot create 'system/ROOT/debian': pool must be upgraded to set this property or value
# zpool upgrade -a
This system supports ZFS pool feature flags.
All pools are already formated using feature flags.
Every feature flags pool already has all supported features enabled.
# zfs create -o encryption=aes-256-gcm system/ROOT/debian
[....]

and then spl crashes again. If I reboot the system (hard reset), the exact same thing happens - it ask to upgrade the pool and zfs create crashes...

Every time I try to use aes-256-gcm, it wants me to upgrade the pool and the zfs create crashes when I try again...

Using aes-128-ccm, aes-192-ccm, aes-256-ccm all work. But it seems that any gcm type don't work..

Looking at modules loaded, the pool is requested to be upgraded when the gcm module isn't loaded. But trying again, but first loading the module doesn't make any difference.

So:

# modprobe sun-gcm
# zfs create -o encryption=aes-256-gcm system/ROOT/debian
[....]
cannot create 'system/ROOT/debian': pool must be upgraded to set this property or value
# zfs create -o encryption=aes-256-gcm system/ROOT/debian
[SPL PANIC]

I'm not sure what else to test, but if there's something special, just let me know and I'll do it.

keysource=raw,file:///root/.crypted.aes-256 -> invalid all zeros key 0

I have an old OpenSolaris (snv_101b) where I created a pkcs#11 key (don't know how to do that on Linux, or what other type of raw type I can use):

turbo@opensolaris:~$ pktool genkey keystore=file outkey=.crypted.aes-256 keytype=aes keylen=256
turbo@opensolaris:~$ md5sum .crypted.aes-256 
9552e5fcf71a0d530bc08ef4404ba47a  .crypted.aes-256

Copying that over to the Linux test machine:

debianzfs-scst:~# ll .crypted.aes-256 
-r-------- 1 root root 32 Apr 28 21:48 .crypted.aes-256
debianzfs-scst:~# md5sum .crypted.aes-256
9552e5fcf71a0d530bc08ef4404ba47a  .crypted.aes-256

When creating a filesystem, I get:

debianzfs-scst:~# zfs create -o encryption=aes-256-gcm -o keysource=raw,file:///root/.crypted.aes-256 share/tests/crypto4
cannot create 'share/tests/crypto4': invalid all zeros key 0

And changing key don't work either:

debianzfs-scst:~# zfs create -o encryption=aes-256-gcm share/tests/crypto4
Enter passphrase for 'share/tests/crypto4': 
Enter again: 
debianzfs-scst:~# zfs key -c -o keysource=raw,file:///root/.crypted.aes-256 share/tests/crypto4
cannot change wrapping key for 'share/tests/crypto4': invalid all zeros key 0

zfs clone fails with segfault

[please see #18 for info about my system]

celia:~# zfs clone share/VirtualMachines/Test1@20130421_0035 share/VirtualMachines/Test2
Segmenteringsfel (don't have LANG set, and yet it's swedish! Means: 'Segmentation fault').

gdb gives me:

(gdb) run clone share/VirtualMachines/Test1@20130421_0035 share/VirtualMachines/Test2
Starting program: /sbin/zfs clone share/VirtualMachines/Test1@20130421_0035 share/VirtualMachines/Test2
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 0xf73d7af0 (LWP 17602)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf73d7af0 (LWP 17602)]
0xf744a174 in strcmp () from /lib/libc.so.6
(gdb) bt
#0  0xf744a174 in strcmp () from /lib/libc.so.6
#1  0xf76ff3b5 in nvlist_lookup_common (nvl=0x1, name=0xf7674a60 "encryption", type=DATA_TYPE_STRING, nelem=0x0, data=0xff8c91ec)
    at ../../module/nvpair/nvpair.c:1341
#2  0xf7554ef7 in zfs_crypto_zckey (hdl=0x922ac30, cmd=ZFS_CRYPTO_CLONE, props=0x8f24328, zc=0xff8c9248, type=ZFS_TYPE_VOLUME)
    at ../../lib/libzfs/libzfs_crypto.c:1371
#3  0xf7560965 in zfs_clone (zhp=0x922b5a0, target=0xff8ceeca "share/VirtualMachines/Test2", props=0x8f24328)
    at ../../lib/libzfs/libzfs_dataset.c:3493
#4  0x08054d07 in zfs_do_clone ()
#5  0x08050d7f in main ()

I can get a backtrace with debugging if needed...

Linux eqvuivalent for pkgtool

Sorry for making this a abug, but this is more of a documentation issue...

How do one create a raw, encrypted key on Linux?

I have an old Solaris VM, which primary use now is just to run:

pktool genkey keystore=file outkey=out.key keytype=aes keylen=256

This would then be copied onto the Linux machine and used with:

zfs create  -o encryption=aes-256-gcm -o keysource=raw,file:////.../out.key ....

What would I do this on Linux instead?

Encryption on ZVOL is currently not implemented.

ZVOL will accept the encryption=on, but remain plaintext. I added a temporary error on this situation. Adding the encryption to volumes is currently not something I can do.

Can't build if --enable-debug - SPA_VERSION_CRYPTO undefined

First I got an error, saying some function wasn't used (because -Werror in config/zfs-build.m4).

Going round that (compiling without the -Werror), I now get:

../../module/zfs/zio.c: In function ‘zio_decrypt’:
../../module/zfs/zio.c:404: error: ‘SPA_VERSION_CRYPTO’ undeclared (first use in this function)
../../module/zfs/zio.c:404: error: (Each undeclared identifier is reported only once
../../module/zfs/zio.c:404: error: for each function it appears in.)
../../module/zfs/zio.c: In function ‘zio_read_bp_init’:
../../module/zfs/zio.c:1065: error: ‘SPA_VERSION_CRYPTO’ undeclared (first use in this function)
../../module/zfs/zio.c: In function ‘zio_write_bp_init’:
../../module/zfs/zio.c:1251: error: ‘SPA_VERSION_CRYPTO’ undeclared (first use in this function)
../../module/zfs/zio.c: In function ‘zio_gang_tree_issue’:
../../module/zfs/zio.c:1899: warning: suggest parentheses around && within ||

I don't have time to fix that now unfortunatly, so I'm just enable debugging in specific places I'm interested in.

How to build?

Are there instructions available on how to build from source? I'm more or less familiar with the usual config, make and make install. I also looked at http://zfsonlinux.org/faq.html but didnt find any specific instructions.

Missing manpage entries for encryption

There's no information about 'the crypto stuff' in the man page for zfs.

Add frob to stop automount in initramfs after key load.

Current behavior is that if you import the pool -R in initramfs, the prefix (pivot_root target) is retained after pivot_root, making any 'zfs mount' after the pivot_root mount to the incorrect location.

If you import the pool -N, and then load keys, ZFS tries to automount the filesystem(s) according to their mountpoint property, which is incorrect until after the pivot_root, and doesn't work. ("/ is not empty")

You have to:

'import -N' ; 'zfs key -l -n' ; 'mount -t zfs -o zfsutil tank/root /root' ; 'pivot_root'

in order for the mountpoint property to be correctly set after the pivot.

Any additional filesystems can either be explicitly mounted in initramfs before the pivot, or mounted by a 'zfs mount -a' after the pivot.

The patch below adds a new command line arg (-n) to stop the automount after a key load.

    --- pristine/zfs-crypto/cmd/zfs/zfs_main.c      2013-02-21 19:07:20.363875000 +0000
    +++ zfs-crypto/cmd/zfs/zfs_main.c       2013-02-21 19:08:52.159647000 +0000
    @@ -309,7 +309,7 @@
                        "[snapshot|filesystem]\n"));
         case HELP_KEY:
             return (gettext(
    -                        "\tkey -l <-a | [-r] filesystem|volume>\n"
    +                        "\tkey -l [-n] <-a | [-r] filesystem|volume>\n"
                             "\tkey -u [-f] <-a | [-r] filesystem|volume>\n"
                             "\tkey -c [ -o <keysource=value>]"
                             " <-a | [-r] filesystem|volume>\n"
    @@ -6288,6 +6288,7 @@
         enum keycmd_e   keycmd;
         boolean_t       force;
         boolean_t       recurse;
    +    boolean_t       automount;
         nvlist_t        *props;
     } key_cbdata_t;

    @@ -6309,7 +6310,7 @@

         switch (cb->keycmd) {
         case KEY_LOAD:
    -        ret = zfs_key_load(zhp, B_TRUE, B_TRUE, cb->recurse);
    +        ret = zfs_key_load(zhp, cb->automount, B_TRUE, cb->recurse);
             break;
         case KEY_UNLOAD:
             ret = zfs_key_unload(zhp, cb->force);
    @@ -6344,7 +6345,7 @@
         zfs_type_t types = ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME;


    -    while ((c = getopt(argc, argv, "arflucKo:")) != -1) {
    +    while ((c = getopt(argc, argv, "arflnucKo:")) != -1) {
             switch (c) {
             case 'a':
                 all = B_TRUE;
    @@ -6363,6 +6364,9 @@
                 cb.keycmd = KEY_LOAD;
                 cmdset = B_TRUE;
                 break;
    +        case 'n':
    +            cb.automount = B_FALSE;
    +            break;
             case 'u':
                 if (cmdset)
                     usage(B_FALSE);

Can't create encrypted ZVOL using keysource file

I'm not sure this ever worked, I can very, very vaguely remember trying encrypted ZVOLs a long time ago without success.

In either case, I can't seem to create an encrypted ZVOL properly.

celia:~# zfs create -o encryption=aes-256-gcm -o keysource="raw,file:///home/turbo/.zfskey" share/tmp1
celia:~# zfs destroy share/tmp1
celia:~# zfs create -o encryption=aes-256-gcm -o keysource="raw,file:///home/turbo/.zfskey" -V1G share/tmp1
cannot create 'share/tmp1': key length invalid. expected 16 bytes have 32
celia:~# zfs create -o encryption=aes-256-gcm -o keysource="passphrase,prompt" -V1G share/tmp1
Enter passphrase for 'share/tmp1': 
Enter again: 
celia:~#

'zfs key -l -r dataset' does not return 1 if key couldn't be found

celia(ZFSRoot):~# zfs get -r keysource share/celia.new
NAME                                         PROPERTY   VALUE                            SOURCE
share/celia.new                              keysource  raw,file:///boot/zfs/.celia.key  local
share/celia.new@20140102-debootstrapped      keysource  raw,file:///boot/zfs/.celia.key  inherited from share/celia.new
share/celia.new/var                          keysource  raw,file:///boot/zfs/.celia.key  local
share/celia.new/var@20140102-debootstrapped  keysource  raw,file:///boot/zfs/.celia.key  inherited from share/celia.new/var
celia(ZFSRoot):~# ll /boot/zfs/.celia.key
/bin/ls: cannot access /boot/zfs/.celia.key: No such file or directory
celia(ZFSRoot):~# zfs key -l -r share/celia.new
celia(ZFSRoot):~# echo $?
0

When I tested this a few minutes ago in the initrd, it DID output a 'cannot load key.....' message, but it isn't now... Tripple checked, and the md5sum of all binaries and libs in the live fs and the initrd match up, so I'm using the 'same' binary.

Neither does the unload (if it isn't loaded):

celia(ZFSRoot):~# zfs key -u -r share/celia.new
cannot unload key for 'share/celia.new/var': key not present.
cannot unload key for 'share/celia.new/var@20140102-debootstrapped': key not present.
celia(ZFSRoot):~# echo $?
0

Here I do get the 'cannot unload key....' at least.

Encrypted filesystem is unmountable on kernel 3.12

This is a fork of #32.

After finally mustering enough courage to run 'zfs mount -a', I get:

celia:~# zfs mount -a
filesystem 'share/home/turbo/Crypted' can not be mounted due to error 52
cannot mount 'share/home/turbo/Crypted': Invalid argument

and the syslog say:

Nov 13 03:24:53 Celia modprobe: WARNING: Error inserting ghash_clmulni_intel (/lib/modules/3.12.0+scst+tf.1/kernel/arch/x86/crypto/ghash-clmulni-intel.ko): No such device
Nov 13 03:24:54 Celia kernel: [ 2053.440315] spl-crypto: Cipher test 'CKM_AES_GCM' -> 'sun-gcm(aes)' successful.
Nov 13 03:25:01 Celia kernel: [ 2061.223198] sha256_ssse3: Neither AVX nor SSSE3 is available/usable.
Nov 13 03:25:01 Celia modprobe: WARNING: Error inserting sha256_ssse3 (/lib/modules/3.12.0+scst+tf.1/kernel/arch/x86/crypto/sha256-ssse3.ko): No such device
Nov 13 03:25:01 Celia modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.12.0+scst+tf.1/kernel/drivers/crypto/padlock-sha.ko): No such device

The SSSE3 crypto is selected as a module:

celia:~# grep -i SSSE3 /boot/config-`uname -r`
CONFIG_CRYPTO_SHA1_SSSE3=m
CONFIG_CRYPTO_SHA256_SSSE3=m
CONFIG_CRYPTO_SHA512_SSSE3=m

and is availible:

celia:/lib/modules/3.12.0+scst+tf.1/kernel# find -name '*ssse3*'
./arch/x86/crypto/sha512-ssse3.ko
./arch/x86/crypto/sha1-ssse3.ko
./arch/x86/crypto/sha256-ssse3.ko

but not loaded, because:

celia:/lib/modules/3.12.0+scst+tf.1/kernel# modprobe sha256_ssse3
FATAL: Error inserting sha256_ssse3 (/lib/modules/3.12.0+scst+tf.1/kernel/arch/x86/crypto/sha256-ssse3.ko): No such device

and

Nov 13 03:30:15 Celia kernel: [ 2375.004027] sha256_ssse3: Neither AVX nor SSSE3 is available/usable.

Passphrase through Splash/Plymouth/Etc

Feature Request or Bug Fix.

We should have a way to pass a passphrase from STDIN, a pipe/redirect, or environment.

I tried to use "keysource=raw,prompt" as suggested by lundman on #zfsonlinux.

root@ubuntu> echo "PASSPHRASE" | zfs create -o encryption=on -o keysource=raw,prompt tank/CRYPT
cannot create 'tank/CRYPT': invalid all zeros key 0
root@ubuntu>

Please make 'raw,prompt' work, or add 'passphrase,stdin' as a feature.

Thanks! :)

Can't create unencrypted fs below one that is

I'm not sure if this is expected behaviour or not, but it does look strange..

I create 'system/ROOT/debian' like so:

zfs create -o mountpoint=/ -o compression=lz4 -o copies=2 -o encryption=aes-256-gcm -o keysource=raw,file:///boot/zfs/.key system/ROOT/debian

but I want (need) /boot to be unencrypted (for now - I'm working on figuring out if it's possible to make that crypted to):

zfs create -o mountpoint=/boot -o compression=lz4 -o copies=2 -o encryption=off system/ROOT/debian

this results in:

cannot create 'system/ROOT/debian/boot': invalid encryption value. dataset must be encrypted

cannot set bootfs if encryption=on

If I enable 'encryption' on a pool, I can no longer set bootfs.

This seems like it should be possible, now that grub (at least zfs-grub - grub with a lot of extra patches it seems) supports booting on a encrypted filesystem...

It should be reasonably easy to fix, and I'll be happy to do a pull request if this should be possible...

cannot create crypto fs

Hello! Im compile zfs-crypto for gentoo - all ok. but I can not create an encrypted file system:

nas14-mhomes test # zpool create -f -d zfscrypt mirror /home/test/disk2 /home/test/disk3
nas14-mhomes test # zfs create -o encryption=aes-256-gcm zfscrypt/BOOM
Enter passphrase for 'zfscrypt/BOOM':
Enter again:
cannot create 'zfscrypt/BOOM': parent 'zfscrypt' is not a filesystem

something I'm doing wrong?

missing easy one-liner install

Could you please provide a copy-pasteable install script?

e.g. on ubuntu systems i just

apt-add-repository --yes ppa:zfs-native/stable
apt-get update
apt-get -y install ubuntu-zfs

Obvs this isn't packaged but a little stanza I could paste into a system to grab the source and build and install it (or tell dkms about it) would be ideal.