Does it make sense to combine ZFS with LUKS2 for completely random-looking encryption on HDDs ? (Without luks-header on the disk of course, header placed elsewhere). The goal is to make a HDD really look like random data, since as I’ve learned ZFS built-in encryption is still telling us that it’s actually a ZFS encrypted volume you’re looking at, instead of being really just random data.
If yes, what would you use ?
- a) Rather a simple integrity-free LUKS2 format since ZFS is taking care of integrity in upper layer already, or
- b) LUKS with integrity ? (It might cause double write lag, once because of integrity checksum creation on the lower layers and then again in ZFS layer, but not sure. And probably bring in a little more complication in case of a physical failure or bit rot).
What happens at all when a bit flip is happening on an integrity-free conventional LUKS device ? Will that logical LUKS sector appear as 1 bad sector on the mapper device ? (Which would then be sensed by ZFS in a mirror setup and corrected/replaced elsewhere on the mapper device, I assume).
Setup would be a zfs raidz1,raidz2, raidz3, or mirror with 2+ drives so not only error detection but correction is granted too. Debian 10, ZoL.
I might install a smaller decoy OS (W10, Ubuntu..) onto the first ~50GB and run it occassionally .. (placing the encrypted part just behind it onto remaining empty space).
This method would allow a HDD to look like a harmless newbie setup, I’m not sure I want to complicate my life with Veracrypt & Co. and I’d like to stick to ZFS because I simply love it. It’s only the lack of unrecognizably-random-looking encryption in ZFS which makes me thinking about pushing a LUKS2 layer beneath it. (I believe more in distraction than in unbreakable encryption btw).