I use full disk encryption with LUKS to encrypt data at rest in Linux systems. Lately, ZFS has offered native encryption in Linux. I am thinking if new Linux systems should be encrypted with file system encryption (such as ZFS native encryption or ext4 with fscrypt) instead of full disk encryption (mostly LUKS). I know some of the differences. For example, ZFS leaks some metadata, mostly dataset and snapshots names (which are useless in my case). LUKS encrypts everything, has a better KDF and multiple key slots, and is mature at this point. ZFS uses AES-GCM which is more complex but stronger than AES XTS. Are there other reasons to use one versus the other? What do you choose? Openzfs encryption is still rather new and I worry there might be bugs or pitfalls breaking confidentiality, or cause pool corruption. Any feedback on the implementation quality of ZFS native encryption?
Story Published at: August 4, 2022 at 09:06AM
Story Published at: August 4, 2022 at 09:06AM