
Native Encryption for ZFS on Linux - funkaster
https://github.com/zfsonlinux/zfs/commit/b52563034230b35f0562b6f40ad1a00f02bd9a05
======
ComputerGuru
OK, I'm curious: why are people shoehorning the filesystem to fit the OS
rather than carefully picking the OS that makes the most sense for the
application it's being used for?

We originally ran OpenSolaris _just for ZFS_. Then we switched to FreeBSD when
OpenSolaris/OpenIndiana dead-ended. We had a production server running PHP and
we were sick of PHP5, so we switched to Linux because HHVM on FreeBSD was a
joke. PHP 7 came out and obviated HHVM (from a performance perspective), and
so our latest PHP deployments are back on FreeBSD.

If your data is valuable to you (and presumably it is and that's why you're
looking at ZFS), why are you not on FreeBSD in the first place?

Same story with ASP.NET - tried deploying on Mono way back before .NET Core
was even an idea and realized the futility of it and switched a server farm to
Windows _because it just wasn't worth it._ PHP on Windows? Same story - not
production ready, move to Linux.

(This isn't to disparage ZfsOnLinux, which I think is a great effort and
laudable if only for home user purposes. Instead, this is a question for
sysadmins on HN who are using ZoL.. .why?)

~~~
brendangregg
Most small shops don't have the expertise -- or appetite to develop it -- to
do an OS and kernel comparison in depth. Larger shops like Netflix do (and
Facebook, etc). So if you want a detailed answer by a systems/kernel
engineering team who have spent weeks studying it, you need to ask a larger
shop.

I'm one of those people. I'm on the Perf and OS team at Netflix. We're very
familiar with FreeBSD -- we use it on our CDN. We're also very familiar with
Linux -- we use it on our cloud. We're very familiar with a lot of other OSes
too (Windows, AIX, Solaris, HP-UX, etc).

So why don't we use BSD everywhere, or Linux everywhere? There's no single
reason -- it's many reasons -- and it's serious engineering time to document
them all and do the topic justice. I'd like to, but I don't have that time
right now.

But I wanted to point this out because I do see it commonly asked, and it
sounds like a question that can be answered simply, but isn't. You're asking
for engineering work, even to just summarize all the factors. I've written up
an explanation of why not Solaris before on HN, since that's easy. But Linux
vs FreeBSD is much more work, since they are both compelling options.

~~~
ComputerGuru
No, you misunderstood me. I am not arguing for FreeBSD everywhere or Linux
everywhere. To the contrary.

I'm saying use whatever filesystem Linux provides when you need to use Linux.
And use whatever operating system provides native support for ZFS when you
need to use ZFS.

We're using ZFS on FreeBSD to do our data storage, ASP.NET on Windows to run
our business logic, and PHP under FreeBSD where PHP is required (previously
HHVM on Linux because HHVM was the requirement). I'm saying pick the right OS
for the right job.

I'm saying figure out your priority with stability in mind.

ZFS is a must when managing big data. It's nice to have otherwise. Decide
which factor is the "must" in your case, and if it's ZFS, don't use Linux.

~~~
tjoff
Problem is, Linux does not have any decent general purpose filesystem.

That is why people risk their data using an untested hack.

~~~
anc84
What is not decent about ext4 as general purpose FS?

~~~
laumars
ext4 is fine for most people but it's not comparable to ZFS. Even ZFS aside,
I've been unconvinced by ext4 these days and have starting using XFS on all
new Linux server builds.

~~~
anc84
So it IS a decent general purpose FS. ;)

~~~
laumars
I think there's two incompatible arguements going on here:

1\. Is ext4 a decent general purpose file system?

2\. Is ext4 a decent alternative or comparable to ZFS?

My answers to those questions would be:

1\. It's an " _acceptable_ " general purpose file system but it's really
starting to fall behind the competition. When I see comments like how people
don't need features like snapshots et al I'm reminded about just how popular
Windows Shadow Copy is. Ok that is a service rather than a file system feature
but it shows that there is a demand for desktops to have this feature.
Checksuming is another example - it's practically free service these days as
CPUs have hardware extensions for popular checksum hashes. So the argument is
akin to saying "why do we need file system journaling"; sure you don't _need_
them but you're massively grateful when you do have them and your consumer
hardware throws it's inevitable hissyfit.

In my opinion Linux really does need to up its game. Ext4 feels almost stuck
in time when compares to the likes of XFS which is years older than ext and
yet they're working on snapshotting. Then you have really forward thinking
file systems like what DragonflyBSD have been working on. They understand the
need for better resilience of our data on desktops due to ever expanding
storage capacities and HAMMERFS looks extremely exciting as a result.

So to get back to your question. Yes ext4 is acceptable for most people, but
is _acceptable_ really good enough? Maybe we should invest more time and
energy into XFS?

2\. Is ext4 a decent alternative or comparable to ZFS? Simply put, _no_.

------
belovedeagle
The title of this HN post should mention that this is ZFSonLinux.

This is good news, but I'll definitely want to wait a good long while before
enabling this in production. Yes, _officially_ zfs isn't good enough to use in
production anywhere even without shiny new features, but I reckon zfs as-is is
better than some other filesystem.

~~~
josteink
By the ZFS proponents own standard for "mature", I guess I should still wait a
decade to use this, right? ;)

~~~
jlgaddis
Depends on a). how much you value your data and/or b). how much you trust your
backups.

------
williamstein
The rate of work and breadth of contributors to ZFSOnLinux is pleasantly
suprising and impressive:
[https://github.com/zfsonlinux/zfs/graphs/contributors](https://github.com/zfsonlinux/zfs/graphs/contributors)

~~~
dom0
Things that happen when you employ folks full-time to work on something.

------
d33
Why would one choose it over dm-crypt? What are the advantages?

~~~
e12e
Personally, I think the best thing is having (finally!) serious cross-platform
encrypted drive support in software. (Yes hw encryption has its benefits, but
like with software raid - the flexibility of software is great). Potentially
this could also be easier to use for external disks than unlock, detect
volumes, mount (or unlock zfs mount...).

In theory, having compression and encryption handled by one codebase might
open the door to a safe/clearly delineated tradeoffs of enabling both.

~~~
X86BSD
This to me, is one of the GREATEST advances since Unix was created. Seriously,
how !@#!@# amazing is it to be able to yank a pool from illumos, Linux,
FreeBSD etc and swap it into a box of another OS supporting ZFS and simply
import it wether its encrypted or not but especially encrypted!

I don't know if most of you are old enough to remember the absolute HELL of
dealing with tape drives, and UFS to trying to get data recovered or migrated
before ZFS. It usually resulted in tears.

~~~
grahamjperrin
ZFS - native encryption, resizing, bleaching | The FreeBSD Forums
<[https://forums.freebsd.org/threads/56869/>](https://forums.freebsd.org/threads/56869/>)

> I hope that FreeBSD will be not too far behind. …

------
akerro
Only by looking at issues in github repo you can tell it's far, far away from
being stable, even for homelabs.

------
XorNot
I'm curious how long it'll take for support to land in grub for this (or how
much work it's likely to be).

------
mp3geek
Does ZFS use the native compression libs in the linux kernel?

------
adrianscott
s/Merkel/Merkle/

~~~
jlgaddis
Thank you so much for your wonderful contribution to this discussion.

~~~
the_common_man
What's wrong with pointing out a typo?

~~~
jlgaddis
What purpose did it serve? The typo was in a commit message. Assuming that the
committer ever even sees it -- most submissions here are not submitted by the
original author -- he is certainly not going to go back and fix the typo in
his commit message.

Besides, in 99% of "typo instances" it is quickly obvious that a typo was
made, everyone understands what it should be, and continues on. If it's a typo
that actually results in a real problem then by all means point it out;
otherwise it just adds to the noise (such as in this case, where it was merely
a transposition of two characters).

------
coretx
It might not be fair but reading a .gov address listed as a reviewer does not
exactly inspire trust. :'(

~~~
_joel
Why not? It's LLNL, who are heavy ZFS users and have been at the forefront of
large datasets since they were a thing in computing.

~~~
coretx
Yet also advertise to be into counterterrorism, defense, and intelligence
operational support. How many dual_ec_drbg do we need before we stop trusting
those people ?

~~~
_joel
I think you're confusing the NSA with LLNL

