Hi Dan, Your first two interpretations are correct.
I like the idea of netbooting but unfortunately, although a good idea, it doesn't fit with the details of our use case - we temporarily take our system to a trusted location, use it and then remove it, so we do not have a permanent presence at the trusted locations (other than our base location). This means that providing the netboot environment is effectively the same problem, as anything on the same network as the data becomes subject to the same rules regarding protection. Putting the boot system on the key media isn't quite the same as transporting the key on media alone - the key media can be read-only/only used at boot to authenticate, whereas the boot system is on writable media. (I have already considered read-only boot images on DVD but due to the low numbers of systems and the need to make permanent changes to the system, I do not consider this approach operable.) Regarding tampering and tamper detection, when the disks are transported, we do not rely on an IT approach to these issues. Regards, Rob -----Original Message----- From: Daniel Carosone [mailto:d...@geek.com.au] Sent: 28 April 2011 03:21 To: Rob O'Leary Cc: Troels N?rgaard Nielsen; zfs-crypto-discuss@opensolaris.org Subject: Re: Booting from encrypted ZFS WAS: RE: How to mount encryptedfile system at boot? Why no pass phraserequesed If I understood correctly: - there is no requirement for the system to boot (or be bootable) outside of your secure locations. - you are willing to accept separate tracking and tagging of removable media, e.g. for key distribution. Consider, at least for purposes of learning from the comparison: - having the machines netboot only, and provide the netboot environment only within the secure locations. - having the system disks on the removable media that is handled separately, not just the keys. Both of these share the property that the physical chassis being transported contains only encrypted disks, leaving you to make other tradeoffs with respect to risks and handling of the bootstrapping data (including keys). My primary interest in "encrypted zfs boot" for the OS is more around the integrity of the boot media, for devices that may be exposed to tampering of various kinds. This is a complex issue that can only be partly addressed by ZFS, even with such additional features. Do these sorts of concerns apply to your environment? If someone was to intercept one of these machines in transit, and tamper with OS and system executables in such a way as to disclose information/keys or otherwise alter their operation when next booted in the "secure" environment, would that be a concern? -- Dan. _______________________________________________ zfs-crypto-discuss mailing list zfs-crypto-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-crypto-discuss
