16k lines of code for encryption? Probably they implement it all for themselves, even the algorithms, since the kernel's symbols are gpl only, aren't they?

If that is the case, will it be possible to use hw accelerators? Like in modern CPUs? My NAS would be happy.

Are there plans to port this over over to FreeBSD? It would be great to have a (linux compatible) replacement for GELI some day.

It pulls the Illumos crypto subsystem in and adds more kernel modules to ZFS to implement everything. So yeah, as far as I can tell, it doesn't use the Linux stuff much.

A sign that they might actually do things right here, even though it's for Linux.

Depends. The Illumos subsystem will need to be actively maintained and security verifications need to occur for the ZoL version, since it's not the same as the original in the Illumos kernel. But also more crypto stuff in the kernel means that it's going to take much more work to audit the running Linux environment.

This is actually very cool.. so adding encryption to ZFS was the last feature that never got into OpenSolaris when .. well it was open. (and apparently the Oracle ZFS Encryption implementation was broken actually twice due to the incompetence of the developer at Oracle according to Bryan Cantrill) This is an all new implementation and one that Oracle can't legally backport.

It was always considered to be kind of a meh feature because an enterprise wouldn't really need it, its more of a laptop feature and ZFS on a laptop is.. well.. hmm.

The reason it uses Illumos's crypto subsystem is for portability.

The very cool part of this tho is the ability to combine it with ZFS send and receive. So you can now offsite encrypted ZFS datasets. It's also cool to see big feature development coming out of ZoL as opposed to the usual coming from Illumos or FreeBSD.

When dealing with PHI and HIPAA, encrypted filesystems matter, regardless of laptop usage, especially if you consider offering cloud-hosted solutions.

This could actually be the feature that would make/break an IT decision for someone somewhere.

At the same time, most healthcare IT would never use an out of tree filesystem in the first place without a support contract anyway..