Re: Native Encryption for ZFS on FreeBSD CFT

From: Sean Fagan <sef_at_ixsystems.com>
Date: Wed, 22 Aug 2018 11:30:07 -0700
On Aug 21, 2018, at 8:16 PM, Alan Somers <asomers_at_freebsd.org> wrote:
> 
> > The last time I looked (which was a long time ago), Oracle's ZFS encryption looked extremely vulnerable to watermarking attacks.  Did anybody ever fix that?

This is the comment about dedup in zio_crypt.c:

 * CONSIDERATIONS FOR DEDUP:
 * In order for dedup to work, blocks that we want to dedup with one another
 * need to use the same IV and encryption key, so that they will have the same
 * ciphertext. Normally, one should never reuse an IV with the same encryption
 * key or else AES-GCM and AES-CCM can both actually leak the plaintext of both
 * blocks. In this case, however, since we are using the same plaintext as
 * well all that we end up with is a duplicate of the original ciphertext we
 * already had. As a result, an attacker with read access to the raw disk will
 * be able to tell which blocks are the same but this information is given away
 * by dedup anyway. In order to get the same IVs and encryption keys for
 * equivalent blocks of data we use an HMAC of the plaintext. We use an HMAC
 * here so that a reproducible checksum of the plaintext is never available to
 * the attacker. The HMAC key is kept alongside the master key, encrypted on
 * disk. The first 64 bits of the HMAC are used in place of the random salt, and
 * the next 96 bits are used as the IV. As a result of this mechanism, dedup
 * will only work within a clone family since encrypted dedup requires use of
 * the same master and HMAC keys.

(So, same issue.  I don’t think encryption and deduplication should live together,
so I would not have made that choice.)

Sean.
Received on Wed Aug 22 2018 - 16:30:11 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:17 UTC