Darren J Moffat wrote: > Darren J Moffat wrote: >>> + slabel=<internally encoded label | none> >>> + This property is used with Trusted Extensions. This is >>> + the internal encoding of a sensitivity label (also called >>> + a hex label). (See label_to_str(3tsol), label_encodings(4), >>> + hextoalabel(1M), atohexlabel(1M).) At mount time, this label >>> + must match that of the zone where the dataset is being >>> mounted, >>> + or the mount fails. >> >> >> I'm happy with everything in this case except that the user interface >> to setting the property requires the use of an internally encoded label, > > Scratch that comment, on further thought (prompted by MarkS) I'm > actually not happy with using a dataset property for this. > > ZFS Crypto support doesn't encrypt the property names or values, this > means that the sensitivity labels will not be encrypted on disk. > That could be a serious issue for use cases that involve ZFS doing > encryption and having TX enabled. > > I think this case needs some discussion with the ZFS core team and the > ZFS crypto team before it can move forwards. You think the internal (hex) labels need to be encrypted? What is the alternative to using a system property?
--Glenn
