Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root on ZFS: Warn against native encryption; add NixOS tutorial for LUKS #465

Merged
merged 1 commit into from Nov 2, 2023
Merged

Root on ZFS: Warn against native encryption; add NixOS tutorial for LUKS #465

merged 1 commit into from Nov 2, 2023

Conversation

ghost
Copy link

@ghost ghost commented Oct 26, 2023

Hopefully I've got the reStructuredText indentation right. This PR contains two changes:

  • Add warning against ZFS native encryption, with references
  • Add LUKS-based guide for NixOS

Tested with https://github.com/ne9z/openzfs-docs/actions/runs/6651356857/job/18073228694

gmelikov
gmelikov reviewed Oct 29, 2023
View reviewed changes
docs/Getting Started/Alpine Linux/Root on ZFS.rst Outdated
@@ -340,7 +340,7 @@ System Installation

- Encrypted:

Pick a strong password. Once compromised, changing password will not keep your
ZFS native encryption is buggy, see `a ZFS developer's comment on this issue`__ and `this spreadsheet of bugs`__. In short, if you care about your data, don't use native encryption. A LUKS-based guide has yet to be written. Once compromised, changing password will not keep your
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While you MAY have problems mainly with zfs send with some arguments, on default case it's pretty well working. I use native encryption on my laptop at least for 2-3 years now. I propose to add more specific warning. What do you think about:

Suggested change
ZFS native encryption is buggy, see `a ZFS developer's comment on this issue`__ and `this spreadsheet of bugs`__. In short, if you care about your data, don't use native encryption. A LUKS-based guide has yet to be written. Once compromised, changing password will not keep your
While ZFS native encryption is a production ready feature, it has some corner cases, see `a ZFS developer's comment on this issue`__ and `this spreadsheet of bugs`__. Once compromised, changing password will not keep your

@ghost
Copy link
Author

ghost commented Oct 29, 2023 via email

@ghost
Copy link
Author

ghost commented Oct 29, 2023 via email

Root on ZFS: Add warning against ZFS native encryption
bb9f0c4 
NixOS: Add tutorial for LUKS

Add general tip against using new features

Signed-off-by: Yǔchēn Guō 郭宇琛 <[email protected]>
@ghost
Copy link
Author

ghost commented Nov 2, 2023

@gmelikov I don't know what your intentions are. Should we hide the fact that native encryption codebase is unmaintained and buggy? In any case, I have updated the pull request to address your comments above.

@gmelikov
Copy link
Member

gmelikov commented Nov 2, 2023

@ne9z of course we should not hide problems, but if something so terribly broken in stable releases, then we have to disable it in code at all, or at least escalate it in code repo. Plus this is an official documentation, we should be careful with (un)ambiguous declarations.

I like your wording, thank you!

@gmelikov gmelikov merged commit 946c05c into openzfs:master Nov 2, 2023
2 checks passed
@ghost ghost deleted the encryption-warning branch November 5, 2023 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gmelikov