Zfs: Q: Is data from an encrypted dataset stored on l2arc encrypted?

Created on 26 Apr 2020  路  3Comments  路  Source: openzfs/zfs

System information


Type | Version/Name
--- | ---
ZFS Version | git master 47c9299fcc9e5fb91d0b1636bfacc03bd3e98439

Describe the problem you're observing

Searching the web and forums there seem to only be conflicting opinions on whether the L2ARC caches data from encrypted datasets in a still-encrypted form..

It'd be great to have an authoritative answer. Thanks.

Encryption Question
Source
picture adamdmoss
👀1

Most helpful comment

Yes, blocks in the L2ARC have the exact same on-disk representation as they do in the main pool. So if they are encrypted in the main pool, they will also be encrypted in the L2ARC. The (in-memory) ARC can hold the encrypted and/or unencrypted versions of block, but typically it will have the unencrypted version. Therefore, ZFS re-encrypts the data from the ARC before writing it to the L2ARC. (In some unusual circumstances, the encryption key may no longer be available when we want to write the block to the L2ARC. In this case it won't be written to the L2ARC.)

You can see the code for this in l2arc_write_buffers() and l2arc_apply_transforms(), specifically the call to zio_do_crypt_abd(). You can confirm by grep-ing the l2arc device for the plaintext contents (you'd want to use compression=off (the default) for this test).

cc @tcaputi

picture ahrens on 27 Apr 2020
👍2

All 3 comments

Yes, blocks in the L2ARC have the exact same on-disk representation as they do in the main pool. So if they are encrypted in the main pool, they will also be encrypted in the L2ARC. The (in-memory) ARC can hold the encrypted and/or unencrypted versions of block, but typically it will have the unencrypted version. Therefore, ZFS re-encrypts the data from the ARC before writing it to the L2ARC. (In some unusual circumstances, the encryption key may no longer be available when we want to write the block to the L2ARC. In this case it won't be written to the L2ARC.)

You can see the code for this in l2arc_write_buffers() and l2arc_apply_transforms(), specifically the call to zio_do_crypt_abd(). You can confirm by grep-ing the l2arc device for the plaintext contents (you'd want to use compression=off (the default) for this test).

cc @tcaputi

ahrens picture ahrens on 27 Apr 2020
👍2

Everything @ahrens said is correct. I would add that the reason there is conflicting information online about this is because Oracle's implementation of ZFS encryption DOES NOT encrypt data going to the L2ARC (or at least it didn't when I was checking a few years ago). Our implementation is completely separate with its own command line interface, advantages, and caveats.

tcaputi picture tcaputi on 27 Apr 2020

Brilliant - thanks folks.

adamdmoss picture adamdmoss on 29 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

avg-I picture avg-I  路  3Comments
kernelOfTruth picture kernelOfTruth  路  4Comments
nh2 picture nh2  路  3Comments
cinterloper picture cinterloper  路  3Comments
pcd1193182 picture pcd1193182  路  4Comments