Re: [OpenIndiana-discuss] What encryption options are available? [b151_9]
where can downlowd the version of b151_9 Openindiana -- Original -- From: "James Carlson";; Date: Wed, Aug 27, 2014 04:07 AM To: "openindiana-discuss"; Subject: Re: [OpenIndiana-discuss] What encryption options are available? [b151_9] On 08/26/14 15:50, Harry Putnam wrote: > The author `darren' didn't bother to fill in what all those steps are > doing. Maybe not written for my low skill level. I agree it's non-trivial, but it's not too hard, and it does show off some interesting features in the OS. The steps (with "#" in front of things that must be done with privileges) are: - Set an environment variable just for convenience so we don't have to keep typing that long path over and over. export PVOL=rpool/export/home/darrenm/pvol - Create a 1GB volume # zfs create -V 1g $PVOL - Use pktool to generate an encryption key. He's using the pkcs11 keystore. You could use a file if you wanted. See the man pages. pktool genkey keystore=pkcs11 label=$PVOL keylen=256 keytype=aes - Create a loopback device that reads and writes the 1GB volume described above, and set it up to use the desired encryption parameters. You'd add "-k file" if you used a key file. # lofiadm -a /dev/zvol/rdsk/$PVOL -T:::$PVOL -c aes-256-cbc If this is the first "lofiadm -a" you've done, it should create "/dev/lofi/1" for you as a new device. - Now create a zpool on top of that loopback device. # zpool create darrenm -O canmount=off -O checksum=sha256 \ -O mountpoint=/export/home/darrenm darrenm /dev/lofi/1 - Change the permissions on the zpool so that the author can create, destroy, and mount filesystems inside. # zfs allow darrenm create,destroy,mount darrenm - Now create an overlay mount. This sets up the path so that "~/Documents" contains public stuff, but "~/Documents/Private" is hidden. zfs create -o canmount=off darrenm/Documents zfs create darrenm/Documents/Private -- James Carlson 42.703N 71.076W ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] What encryption options are available? [b 151_9]
On 08/26/14 15:50, Harry Putnam wrote: > The author `darren' didn't bother to fill in what all those steps are > doing. Maybe not written for my low skill level. I agree it's non-trivial, but it's not too hard, and it does show off some interesting features in the OS. The steps (with "#" in front of things that must be done with privileges) are: - Set an environment variable just for convenience so we don't have to keep typing that long path over and over. export PVOL=rpool/export/home/darrenm/pvol - Create a 1GB volume # zfs create -V 1g $PVOL - Use pktool to generate an encryption key. He's using the pkcs11 keystore. You could use a file if you wanted. See the man pages. pktool genkey keystore=pkcs11 label=$PVOL keylen=256 keytype=aes - Create a loopback device that reads and writes the 1GB volume described above, and set it up to use the desired encryption parameters. You'd add "-k file" if you used a key file. # lofiadm -a /dev/zvol/rdsk/$PVOL -T:::$PVOL -c aes-256-cbc If this is the first "lofiadm -a" you've done, it should create "/dev/lofi/1" for you as a new device. - Now create a zpool on top of that loopback device. # zpool create darrenm -O canmount=off -O checksum=sha256 \ -O mountpoint=/export/home/darrenm darrenm /dev/lofi/1 - Change the permissions on the zpool so that the author can create, destroy, and mount filesystems inside. # zfs allow darrenm create,destroy,mount darrenm - Now create an overlay mount. This sets up the path so that "~/Documents" contains public stuff, but "~/Documents/Private" is hidden. zfs create -o canmount=off darrenm/Documents zfs create darrenm/Documents/Private -- James Carlson 42.703N 71.076W ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] What encryption options are available? [b 151_9]
Harry Putnam writes: > Al Slater writes: > >> How about a lofi encrypted zvol? >> >> https://blogs.oracle.com/darren/entry/encrypting_zfs_pools_using_lofi > > Thanks. I guess its a good idea, but right off hand it looks > seriously complex and uses mostly stuff I know nothing about. Not to > mention that its 6 yrs old... and doubtful it all works like that still. Sorry, you may notice a serious shortfall in math aptitude in my replay above. The author `darren' didn't bother to fill in what all those steps are doing. Maybe not written for my low skill level. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] What encryption options are available? [b 151_9]
Al Slater writes: > How about a lofi encrypted zvol? > > https://blogs.oracle.com/darren/entry/encrypting_zfs_pools_using_lofi Thanks. I guess its a good idea, but right off hand it looks seriously complex and uses mostly stuff I know nothing about. Not to mention that its 6 yrs old... and doubtful it all works like that still. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] [oi-dev] Apache OpenOffice package
Am 26.08.14 03:14, schrieb Dave Koelmeyer: On 26/08/14 01:17, Aurélien Larcher wrote: Ah true... the administration sends Office documents and I just opened .odt document without saving any. My mistake... On Mon, Aug 25, 2014 at 3:07 PM, Alexander Pyhalov wrote: Hey, guys, don't you use ODF documents or you can work with them? For example, on my test systems I can't save *.odt files... I see something a little different (which I need to confirm) – it appears I can edit, save and open existing ODT documents without any problem. Any changes made are saved successfully. However, either attempting to /"Save As//..."/ (as opposed to /"Save"/), or creating a new ODT file and attempting to save that will fail with with the Save dialogue window simply bouncing back into focus. I can confirm that behaviour. I can even save a newly created file in Word format but not ODT (nor SWX). Regards Andreas ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Disk failure detection in OI
Hello list, I have a setup that includes two bare metal server running oi_151a8 and two JBODs. Servers are connected with JBODs so each can see disks from both JBODs. Total number of disk is 20 (12x Seagate Contelation ST2000NM0023, 2x Seagate ST200FM0002, 2x Toshiba PX02SMF020). Both nodes have LSI 9200-8e controller. Test zpool is created, and contains 3 striped mirrored vdevs. Each vdev contains one disk from (let's call it) jbod01 and one disk from jbod02. For testing purposes, after powering off jbod01 whole system hangs. Issuing format/cfgadm (other disk related commands) hangs on both nodes, after few minutes system goes into panic and reboots. After reboot, system sees only 10 disks and zpool import can import degradated pool. My question is: Is there a way to configure IO so it could after disk failure unconfigure drives, and keep zpool up and running in degradated state without rebooting? Things I tried: Adding ddi-failfast-supported:true in /kernel/drv/sd.conf Adding set sd:sd_io_time=5 in /etc/system Setting un_retry_count=0x3 Thanks in advance, ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Overlay "chain" in OpenLDAP
Do you know if it is possible to include the "ldap" backend in OpenLDAP that is compiled for OpenIndiana ... this allows the "chain" overlay to be used, which we use to make the local LDAP server (replicated from a master with syncrepl) pretend to be a master server, handing on the requests to the real master server. Do I need to create a bug for this request? Jon ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] What encryption options are available? [b 151_9]
On 26/08/2014 15:31, Harry Putnam wrote: Bob Friesenhahn writes: On Tue, 26 Aug 2014, Harry Putnam wrote: Hopefully I've gotten it all wrong. I'd hoped for something as simple as `encfs', then read that encryption was now built into zfs. But then it appears not to be so for oi? Zfs encryption is for the data stored on disk and is not 'file' level. Regardless, it is not provided for OpenIndiana. FreeBSD has an encryption layer which can be used on devices underneath zfs. Can anyone spell out what is available to use on OI 151_9 in the way of really basic encryption? I'm basically only looking for something that would baffle script kiddies. I don't expect to be attacked by serious players. If you want to protect individual files you could install and use pgp. The problem with so-called "script kiddies" is that usually such scripts are run from within the cone of trust so they have access to decrypted data. If the filesystem automatically decrypts the data for the applications (the normal case for an encrypting filesystem), then a script running on that filesystem is able to use it. Thanks for the good info. Maybe I should provide a description of what I want to do. With encfs... which I've used on other os's until now, works like this: Create a password protected container then whatever you put in it is encrypted. I keep only things like uid and passwords for the dozens of things one collects over time, and bits of info I'd rather not share. Nothing too drastic. But I guess UID and Passwd would be enough to drain my bank account of all 50 bucks ... hehe. What I do is (manually )open the containter when I need something which is usually like once/twice per day or so, then close the container. So basically it stays encrypted most of the time. There is no automatic application access involved. So, I guess a script kiddie would have to first hack my host, then hack my UID/Passwd, and then hack the passwd on the encrypted container. As it is now, even root does not have access to the container without the passwd. So, all and all, I guess I'm looking for something that works along those lines. How about a lofi encrypted zvol? https://blogs.oracle.com/darren/entry/encrypting_zfs_pools_using_lofi -- Al Slater ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] What encryption options are available? [b 151_9]
Bob Friesenhahn writes: > On Tue, 26 Aug 2014, Harry Putnam wrote: >> >> Hopefully I've gotten it all wrong. >> I'd hoped for something as simple as `encfs', then read that encryption >> was now built into zfs. But then it appears not to be so for oi? > > Zfs encryption is for the data stored on disk and is not 'file' > level. Regardless, it is not provided for OpenIndiana. FreeBSD has an > encryption layer which can be used on devices underneath zfs. > >> Can anyone spell out what is available to use on OI 151_9 in the way >> of really basic encryption? >> >> I'm basically only looking for something that would baffle script >> kiddies. I don't expect to be attacked by serious players. > > If you want to protect individual files you could install and use pgp. > > The problem with so-called "script kiddies" is that usually such > scripts are run from within the cone of trust so they have access to > decrypted data. If the filesystem automatically decrypts the data for > the applications (the normal case for an encrypting filesystem), then > a script running on that filesystem is able to use it. Thanks for the good info. Maybe I should provide a description of what I want to do. With encfs... which I've used on other os's until now, works like this: Create a password protected container then whatever you put in it is encrypted. I keep only things like uid and passwords for the dozens of things one collects over time, and bits of info I'd rather not share. Nothing too drastic. But I guess UID and Passwd would be enough to drain my bank account of all 50 bucks ... hehe. What I do is (manually )open the containter when I need something which is usually like once/twice per day or so, then close the container. So basically it stays encrypted most of the time. There is no automatic application access involved. So, I guess a script kiddie would have to first hack my host, then hack my UID/Passwd, and then hack the passwd on the encrypted container. As it is now, even root does not have access to the container without the passwd. So, all and all, I guess I'm looking for something that works along those lines. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] What encryption options are available? [b 151_9]
On Tue, 26 Aug 2014, Harry Putnam wrote: Hopefully I've gotten it all wrong. I'd hoped for something as simple as `encfs', then read that encryption was now built into zfs. But then it appears not to be so for oi? Zfs encryption is for the data stored on disk and is not 'file' level. Regardless, it is not provided for OpenIndiana. FreeBSD has an encryption layer which can be used on devices underneath zfs. Can anyone spell out what is available to use on OI 151_9 in the way of really basic encryption? I'm basically only looking for something that would baffle script kiddies. I don't expect to be attacked by serious players. If you want to protect individual files you could install and use pgp. The problem with so-called "script kiddies" is that usually such scripts are run from within the cone of trust so they have access to decrypted data. If the filesystem automatically decrypts the data for the applications (the normal case for an encrypting filesystem), then a script running on that filesystem is able to use it. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] What encryption options are available? [b 151_9]
Looking around for a simple to use and setup file encryption setup for oi. My googling succeded in thoroughly confusing the heck out of me, and it appears the systems available are long drawn out complex affairs and even that may not be part of OI. Hopefully I've gotten it all wrong. I'd hoped for something as simple as `encfs', then read that encryption was now built into zfs. But then it appears not to be so for oi? Can anyone spell out what is available to use on OI 151_9 in the way of really basic encryption? I'm basically only looking for something that would baffle script kiddies. I don't expect to be attacked by serious players. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss