November 29, 2016
ZFS Encryption Will Hopefully Come To The OpenZFS Community!
Data security is of the utmost concern to our customers, especially when new IT service providers are looking at Datto to be their preferred DRaaS vendor. Inevitably, encryption comes up in discussions. Datto encrypts data in transit and at rest at our cloud data centers internationally. IT providers can also opt in to have an encrypted agent on our devices. Historically, enabling encryption negatively impacted ease of use, storage and transportability of data. Here’s why:
Ease of Use: When you encrypt data, it adds a layer of work that has to be accomplished to perform backups. There has to be some manual intervention to make sure that the people using the product are authorized, hence the need for a manually entered passphrase to allow someone the rights to use an encrypted product.
Storage: Encrypted data is stored in a random jumble and only a key can decrypt that randomness. This leads to a storage issue because there is no way to efficiently compress encrypted data. So, users must purchase an artificially large backup appliance to store encrypted data and versions of that encrypted data over time.
Transportability: When storage cannot be compressed, sending the data becomes more work and time. In our line of business, that can mean the difference between a company that can run and a company that will fail after a disaster.
We decided to ask, what can be done about these problems?
We cannot get rid of manual intervention, that is a main tenet of data security. We can, however, try to make the storage and transportability easier. How does one do that with the products that we have?
The one thing that binds all of our products together is the fact that they all use ZFS. OK, Oracle ZFS has encryption built in, thanks to ye olde Solaris. OpenZFS didn’t have native encryption because Oracle ZFS became closed source before it could be integrated. So one of our own developers, Tom Caputi, decided to take up the OpenZFS encryption mantle. First, he had to find out what security and usability issues there were with Oracle ZFS. There were a number of things that made me want to take it over,” said Caputi. “It wasn’t easy to manage, it required manual key rotations by sysadmins, deduplication breaks when you rotate keys, and more.” What sysadmin wants to have to remember to reset a key at any interval? No sysadmin, that’s who.
After nine months of sleepless nights and back and forth with some people from the OpenZFS community, he came out with a finished product and presented it to the OpenZFS community in September 2016. It still has to be approved, but it is currently being critiqued in GitHub and we can’t wait to get it out to the world!
This will not only help Datto but anyone using ZFS for their storage needs. You don’t need hardware level encryption (although I won’t stop you) because you can encrypt your data compressed AND deduplicated...that’s right...properly deduplicated with this new pull request. To find out more you can watch Tom Caputi’s presentation at the OpenZFS Developer Summit.
Well now, you might ask...how can I learn about ZFS? I challenge you to try it out for yourself, personally, I recommend ZFS on Ubuntu but you can go with Illumos or another system that might have it baked in like FreeNAS. Get crazy with it...learn how to be a ZFS ninja. I would be happy to discuss as well!