Hello FreeBSD community,
I’m seeking validation for my current configuration using Geli encryption with ZFS. While everything appears to be working correctly, I’d like to confirm whether this setup aligns with best practices or if there are recommended improvements.
Context
I’m a new user of Geli encryption, and I’ve configured it to secure ZFS vdevs. Through a combination of the FreeBSD handbook, geli man pages, and various forum posts, I was able to assemble a working setup. However, I couldn’t find a single, definitive "preferred" approach for this use case. Before moving critical data to my ZFS pool, I’d like to ensure this configuration is robust and adheres to common practices. I added passphrase as well as key file to allow for recovery in case key file becomes inaccessible as well as used geli backup to backup the metadata and master keys.
Current Setup
Root Pool:
Root on a ZFS pool (zroot) residing on a Geli-encrypted vdev.
This vdev requires a user password to unlock Geli during boot.
(I read that it was recommended a separate pool for file server rather than dataset on zroot)
File Server Pool:
Separate ZFS pool added for file server data.
Geli-encrypted vdevs in this pool are configured with two user keys:
Keyslot 0: Passphrase-based key.
Keyslot 1: Keyfile-based key (no passphrase).
The keyfile is stored at /geli.key.
Behavior:
The system boots without errors.
The data ZFS pool and its datasets mount successfully after boot.
Geli devices are present and active.
Here are the relevant sections from /boot/loader.conf and /etc/rc.conf for your reference:
cat /boot/loader.conf
aesni_load="YES"
geom_eli_load="YES"
cryptodev_load="YES"
zfs_load="YES"
cat /etc/rc.conf
zfs_enable="YES"
geli_groups="data"
#keyfile stored on encrypted root zfs dataset
geli_z1_flags="-n 1 -p -k /geli.key"
geli_z1_devices="da1 da2 da3"
Questions
Does this setup follow standard practices for using Geli with ZFS?
Are there any potential pitfalls, security concerns, or recommended changes to improve the configuration?
Is storing the keyfile at /geli.key acceptable, or is there a more secure alternative?
I’ve rebooted the system several times and reviewed logs, but I’d greatly appreciate input from experienced users to ensure this setup is both efficient and secure.
Thank you in advance for your time and guidance!
I’m seeking validation for my current configuration using Geli encryption with ZFS. While everything appears to be working correctly, I’d like to confirm whether this setup aligns with best practices or if there are recommended improvements.
Context
I’m a new user of Geli encryption, and I’ve configured it to secure ZFS vdevs. Through a combination of the FreeBSD handbook, geli man pages, and various forum posts, I was able to assemble a working setup. However, I couldn’t find a single, definitive "preferred" approach for this use case. Before moving critical data to my ZFS pool, I’d like to ensure this configuration is robust and adheres to common practices. I added passphrase as well as key file to allow for recovery in case key file becomes inaccessible as well as used geli backup to backup the metadata and master keys.
Current Setup
Root Pool:
Root on a ZFS pool (zroot) residing on a Geli-encrypted vdev.
This vdev requires a user password to unlock Geli during boot.
(I read that it was recommended a separate pool for file server rather than dataset on zroot)
File Server Pool:
Separate ZFS pool added for file server data.
Geli-encrypted vdevs in this pool are configured with two user keys:
Keyslot 0: Passphrase-based key.
Keyslot 1: Keyfile-based key (no passphrase).
The keyfile is stored at /geli.key.
Behavior:
The system boots without errors.
The data ZFS pool and its datasets mount successfully after boot.
Geli devices are present and active.
Here are the relevant sections from /boot/loader.conf and /etc/rc.conf for your reference:
cat /boot/loader.conf
aesni_load="YES"
geom_eli_load="YES"
cryptodev_load="YES"
zfs_load="YES"
cat /etc/rc.conf
zfs_enable="YES"
geli_groups="data"
#keyfile stored on encrypted root zfs dataset
geli_z1_flags="-n 1 -p -k /geli.key"
geli_z1_devices="da1 da2 da3"
Questions
Does this setup follow standard practices for using Geli with ZFS?
Are there any potential pitfalls, security concerns, or recommended changes to improve the configuration?
Is storing the keyfile at /geli.key acceptable, or is there a more secure alternative?
I’ve rebooted the system several times and reviewed logs, but I’d greatly appreciate input from experienced users to ensure this setup is both efficient and secure.
Thank you in advance for your time and guidance!