Print this page
4185 New hash algorithm support
*** 270,276 ****
--- 270,383 ----
When the \fBmulti_vdev_crash_dump\fR feature is set to \fBenabled\fR,
the administrator can use the \fBdumpadm\fR(1M) command to configure a
dump device on a pool comprised of multiple vdevs.
+ .RE
+
+ .sp
+ .ne 2
+ .na
+ \fB\fBsha512\fR\fR
+ .ad
+ .RS 4n
+ .TS
+ l l .
+ GUID org.illumos:sha512
+ READ\-ONLY COMPATIBLE no
+ DEPENDENCIES none
+ .TE
+
+ This feature enables the use of the SHA-512/256 truncated hash algorithm
+ (FIPS 180-4) for checksum and dedup. The native 64-bit arithemtic of
+ SHA-512 provides an approximate 50% performance boost over SHA-256 on
+ 64-bit hardware and is thus a good minimum-change replacement candidate
+ for systems where hash performance is important, but these systems
+ cannot for whatever reason utilize the faster \fBskein\fR and
+ \fBedonr\fR algorithms.
+
+ When the \fBsha512\fR feature is set to \fBenabled\fR, the administrator
+ can turn on the \fBsha512\fR checksum on any dataset using the
+ \fBzfs\fR(1M) command. Please note that doing so will immediately
+ activate the \fBsha512\fR feature on the underlying pool (even before
+ any data is written). Since this feature is not read-only compatible,
+ this operation will render the pool unimportable on systems without
+ support for the \fBsha512\fR feature. At the moment, this operation
+ cannot be reversed. Booting off of pools utilizing SHA-512/256 is
+ supported, provided that the appropriate GRUB stage2 module is
+ installed.
+
+ .RE
+
+ .sp
+ .ne 2
+ .na
+ \fB\fBskein\fR\fR
+ .ad
+ .RS 4n
+ .TS
+ l l .
+ GUID org.illumos:skein
+ READ\-ONLY COMPATIBLE no
+ DEPENDENCIES none
+ .TE
+
+ This feature enables the use of the Skein hash algorithm for checksum
+ and dedup. Skein is a high-performance secure hash algorithm that was a
+ finalist in the NIST SHA-3 competition. It provides a very high security
+ margin and high performance on 64-bit hardware (80% faster than
+ SHA-256). This implementation also utilizes the new salted checksumming
+ functionality in ZFS, which means that the checksum is pre-seeded with a
+ secret 256-bit random key (stored on the pool) before being fed the data
+ block to be checksummed. Thus the produced checksums are unique to a
+ given pool, preventing hash collision attacks on systems with dedup.
+
+ When the \fBskein\fR feature is set to \fBenabled\fR, the administrator
+ can turn on the \fBskein\fR checksum on any dataset using the
+ \fBzfs\fR(1M) command. Please note that doing so will immediately
+ activate the \fBskein\fR feature on the underlying pool (even before any
+ data is written). Since this feature is not read-only compatible, this
+ operation will render the pool unimportable on systems without support
+ for the \fBskein\fR feature. At the moment, this operation cannot be
+ reversed. Booting off of pools using \fBskein\fR is \fBNOT\fR supported
+ -- any attempt to enable \fBskein\fR on a root pool will fail with an
+ error.
+
+ .RE
+
+ .sp
+ .ne 2
+ .na
+ \fB\fBedonr\fR\fR
+ .ad
+ .RS 4n
+ .TS
+ l l .
+ GUID org.illumos:edonr
+ READ\-ONLY COMPATIBLE no
+ DEPENDENCIES none
+ .TE
+
+ This feature enables the use of the Edon-R hash algorithm for checksum
+ and dedup. Edon-R is a very high-performance hash algorithm that was part
+ of the NIST SHA-3 competition. It provides extremely high hash
+ performance (over 350% faster than SHA-256), but was not selected
+ because of its unsuitability as a general purpose secure hash algorithm.
+ This implementation utilizes the new salted checksumming functionality
+ in ZFS, which means that the checksum is pre-seeded with a secret
+ 256-bit random key (stored on the pool) before being fed the data block
+ to be checksummed. Thus the produced checksums are unique to a given
+ pool, blocking hash collision attacks on systems with dedup.
+
+ When the \fBedonr\fR feature is set to \fBenabled\fR, the administrator
+ can turn on the \fBedonr\fR checksum on any dataset using the
+ \fBzfs\fR(1M) command. Please note that doing so will immediately
+ activate the \fBedonr\fR feature on the underlying pool (even before any
+ data is written). Since this feature is not read-only compatible, this
+ operation will render the pool unimportable on systems without support
+ for the \fBedonr\fR feature. At the moment, this operation cannot be
+ reversed. Booting off of pools using \fBedonr\fR is \fBNOT\fR supported
+ -- any attempt to enable \fBedonr\fR on a root pool will fail with an
+ error.
+
.SH "SEE ALSO"
\fBzpool\fR(1M)