Lofi could be an option but only if it
- would work on raw disks not only on files(on a ZFS pool)
- would support hardware encryption (too slow now )
Currently it is perfect if you want to create a smaller encrypted ZFSpool
that you want to backup (the underlying files) with ZFS security to
unsecure places like a cloud.
In a time where every national security service worldwide/ staff to sell
data/ other enterprises/ country wants your data, encryption is a must
even in a datacenter or serverroom. In a perfect implementation this
MUST be done on a user/ share-level not on a server level where any
admin/ NSA or whoever has access to the serverdata once they get unlocked.
This is important for everything especially to cloud storage.
Transport encryption is worthless if the data on a server is open and
not encrypted in a way that only a single end-user can access/encrypt
data with a user-key not the server admin.Any current ZFS encryption is
worthless in this sense as you unlock data on bootup and then its open
for every admin or server process.
In this case, as SmartOS is intended for cloud-use I hope that there
will come something in the future that gives us this level of security
at a end-user level.
Gea
On 15.03.2015 05:22, Jonathan Paget via smartos-discuss wrote:
I forgot about lofi
zones/$UUID--lofi-backend0 ---> /dev/$UUID--lofi-device0
vmadm get $UUID | json disks | grep zfs_filesystem
zfs_filesystem": "zones/$UUID--lofi-device0"
or something like the above
On Sat, Mar 14, 2015 at 5:11 PM, Richard Elling
<[email protected]
<mailto:[email protected]>> wrote:
On Mar 14, 2015, at 2:08 PM, Jonathan Paget via smartos-discuss
<[email protected]
<mailto:[email protected]>> wrote:
>>Are there any encryption options?
Your only real option is for a KVM guest to use encryption inside
a Zone (CentOS and Ubuntu offer encryption at their install
screens). Some people use ZVOLs as back-ends for FreeBSD's GELI
on FreeBSD, or use GELI to encrypt the underlying vdevs of their
zpool, but FreeBSD Jails aren't anywhere near a complete
alternative to zones.
lofi on SmartOS, managed with the lofiadm command. There would be some
assembly required, but shouldn't need any new code.
-- richard
If you need to run Windows guests, you could probably find a way
to PXE-boot them off of iSCSI targets (running in another Zone)
that have encrypted back-ends or just have them use Samba to
access encrypted volumes.
Yes I understand everything I typed above is very ugly. I would
really like to see encrypted added to the illumos/ZFS or OpenZFS
feature set, would do it myself if I currently held the necessary
skillset.
On Sat, Mar 14, 2015 at 2:00 PM, George Linn via smartos-discuss
<[email protected]
<mailto:[email protected]>> wrote:
Are there any encryption options? Specifically if the SmartOS
installation is used primarily for hosting Zones. Could
sleep better knowing that if my machine was physically
compromised my data would be a bit more difficult to access.
------------------------------------------------------------------------
*From:* Brian Bennett via smartos-discuss
<[email protected]
<mailto:[email protected]>>
*To:* [email protected]
<mailto:[email protected]>; George Linn
<[email protected] <mailto:[email protected]>>
*Sent:* Saturday, March 14, 2015 4:29 PM
*Subject:* Re: [smartos-discuss] ZFS encryption
ZFS encryption was integrated into Solaris 11 after
OpenSolaris updates stopped. That's not to say it couldn't be
added, but it hasn't been a priority so far.
--
Brian Bennett
Systems Engineer, Cloud Operations,Joyent, Inc.
655 Montgomery St., Suite 1600 | San Francisco | California |
94111
[email protected]
<mailto:[email protected]>|www.joyent.com
<http://www.joyent.com/>
office 415-400-0645 <tel:415-400-0645>|mobile 619-663-IPv6
On Mar 14, 2015, at 11:17 AM, George Linn via
smartos-discuss <[email protected]
<mailto:[email protected]>> wrote:
After some searching, it seems that there is no integrated
encryption for ZFS in SmartOS that would allow something
like the following to happen:
*
*
*zfs create -o encryption=on rpool/export/somthing*
**
Can encryption be used with ZFS at all on SmartOS? I see
some examples of creating encrypted block devices in
OpenIndiana but I am not sure how this is helpful in a
general sense on SmartOS since my disk space is all
allocated during the initial installation of SmartOS.
*smartos-discuss* | Archives
<https://www.listbox.com/member/archive/184463/=now>
<https://www.listbox.com/member/archive/rss/184463/26986985-d0246faa>
| Modify <https://www.listbox.com/member/?&;> Your
Subscription [Powered by Listbox] <http://www.listbox.com/>
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed:
https://www.listbox.com/member/archive/rss/184463/26967883-1315225c
Modify Your Subscription: https://www.listbox.com/member/?&;
Powered by Listbox: http://www.listbox.com
<http://www.listbox.com/>
*smartos-discuss* | Archives
<https://www.listbox.com/member/archive/184463/=now>
<https://www.listbox.com/member/archive/rss/184463/26912851-a47b45cc>
| Modify <https://www.listbox.com/member/?&;> Your
Subscription [Powered by Listbox] <http://www.listbox.com/>
*smartos-discuss* | Archives
<https://www.listbox.com/member/archive/184463/=now>
<https://www.listbox.com/member/archive/rss/184463/21953302-fd56db47>
| Modify <https://www.listbox.com/member/?&;> Your Subscription
[Powered by Listbox] <http://www.listbox.com/>
*smartos-discuss* | Archives
<https://www.listbox.com/member/archive/184463/=now>
<https://www.listbox.com/member/archive/rss/184463/23140977-a7885f8f>
| Modify
<https://www.listbox.com/member/?&;>
Your Subscription [Powered by Listbox] <http://www.listbox.com>
--
Gea
-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription:
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com
