wolfSSL support for ZFS

    • OpenZFS

    OpenZFS is a powerful combined filesystem and volume manager, that implements the well-known ZFS filesystem, which supports compressed and encrypted volumes. ZFS was originally developed by Sun Microsystems for Solaris Unix, and the source code was released in 2005 under the OpenSolaris project. Later, in 2013 the OpenZFS project took over open source management of ZFS, which became known as OpenZFS.

    OpenZFS is actually composed of several modular components that are spread across both user and kernel space. At the user space level, ZFS exposes command line tools like zpool(8) and zfs(8), which link to userspace libs like libzfs and libzpool.

    At the kernel level there is the main kernel module zfs.ko, and the character device /dev/zfs, through which the user space tools communicate.

    Cryptography in OpenZFS

    OpenZFS uses cryptography for a number of tasks, ranging from dataset encryption and integrity checks at the kernel layer, to PBKDF2 calls at the userspace level.

    The kernel layer has a crypto provider framework implemented in module/icp/ (named after the Illumos Cryptographic Provider). On linux, ZFS has a number of native crypto implementations that it uses for the icp providers.

    At the userspace level, OpenZFS links to OpenSSL for EVP and PBKDF2 related API.

    wolfSSL support for OpenZFS

    Naturally we were curious about porting wolfCrypt into OpenZFS. For one thing, this would lead to an easy recipe to “FIPS-ify” OpenZFS deployments. Our curiosity got the better of us, and we created a demo that integrates wolfSSL into OpenZFS through a self-contained patch.

    In short, the patch replaces the ZFS provider implementations in module/icp/ with simple wolfCrypt API calls at the kernel level, while at the user level it simply links to the libwolfssl compatibility layer (–enable-opensslall). This amounts to a substantial reduction in complexity in OpenZFS codebase, removing over 20k lines of native crypto implementations, while inserting a modest ~800 new lines.

    Schematically, the interaction between ZFS and wolfSSL components is shown in the following diagram:

    The basic idea is: at the kernel level, zfs.ko links to our own libwolfssl.ko kernel module. While at the user space level, the EVP and related calls from ZFS utilize our enable-opensslall compatibility layer from libwolfssl.so. When libwolfssl is built with FIPS 140-3 support this gives a simple recipe to “FIPS-ify” OpenZFS deployments.

    Are you interested in wolfSSL and ZFS? Do you have suggestions for what we should support next? If you are curious to learn more, or have questions, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now