>> - would work on raw disks not only on files (on a ZFS pool) Does Lofi not work on ZVOLs?
>> - would support hardware encryption (too slow now ) Does Lofi not take advantage of Intel AES-NI ? -------- Original Message -------- Subject: Re: [smartos-discuss] ZFS encryption From: "Günther Alka via smartos-discuss" <[email protected]> Date: Sun, March 15, 2015 6:28 am To: [email protected] Lofi could be an option but only if it - would work on raw disks not only on files (on a ZFS pool) - would support hardware encryption (too slow now ) Currently it is perfect if you want to create a smaller encrypted ZFS pool that you want to backup (the underlying files) with ZFS security to unsecure places like a cloud. In a time where every national security service worldwide/ staff to sell data/ other enterprises/ country wants your data, encryption is a must even in a datacenter or serverroom. In a perfect implementation this MUST be done on a user/ share-level not on a server level where any admin/ NSA or whoever has access to the serverdata once they get unlocked. This is important for everything especially to cloud storage. Transport encryption is worthless if the data on a server is open and not encrypted in a way that only a single end-user can access/encrypt data with a user-key not the server admin. Any current ZFS encryption is worthless in this sense as you unlock data on bootup and then its open for every admin or server process. In this case, as SmartOS is intended for cloud-use I hope that there will come something in the future that gives us this level of security at a end-user level. Gea On 15.03.2015 05:22, Jonathan Paget via smartos-discuss wrote: I forgot about lofi zones/$UUID--lofi-backend0 ---> /dev/$UUID--lofi-device0 vmadm get $UUID | json disks | grep zfs_filesystem zfs_filesystem": "zones/$UUID--lofi-device0" or something like the above On Sat, Mar 14, 2015 at 5:11 PM, Richard Elling <[email protected]> wrote: On Mar 14, 2015, at 2:08 PM, Jonathan Paget via smartos-discuss <[email protected]> wrote: >> Are there any encryption options? Your only real option is for a KVM guest to use encryption inside a Zone (CentOS and Ubuntu offer encryption at their install screens). Some people use ZVOLs as back-ends for FreeBSD's GELI on FreeBSD, or use GELI to encrypt the underlying vdevs of their zpool, but FreeBSD Jails aren't anywhere near a complete alternative to zones. lofi on SmartOS, managed with the lofiadm command. There would be some assembly required, but shouldn't need any new code. -- richard If you need to run Windows guests, you could probably find a way to PXE-boot them off of iSCSI targets (running in another Zone) that have encrypted back-ends or just have them use Samba to access encrypted volumes. Yes I understand everything I typed above is very ugly. I would really like to see encrypted added to the illumos/ZFS or OpenZFS feature set, would do it myself if I currently held the necessary skillset. On Sat, Mar 14, 2015 at 2:00 PM, George Linn via smartos-discuss <[email protected]> wrote: Are there any encryption options? Specifically if the SmartOS installation is used primarily for hosting Zones. Could sleep better knowing that if my machine was physically compromised my data would be a bit more difficult to access. From: Brian Bennett via smartos-discuss <[email protected]> To: [email protected]; George Linn <[email protected]> Sent: Saturday, March 14, 2015 4:29 PM Subject: Re: [smartos-discuss] ZFS encryption ZFS encryption was integrated into Solaris 11 after OpenSolaris updates stopped. That's not to say it couldn't be added, but it hasn't been a priority so far. -- Brian Bennett Systems Engineer, Cloud Operations, Joyent, Inc. 655 Montgomery St., Suite 1600 | San Francisco | California | 94111 [email protected] | www.joyent.com office 415-400-0645 | mobile 619-663-IPv6 On Mar 14, 2015, at 11:17 AM, George Linn via smartos-discuss <[email protected]> wrote: After some searching, it seems that there is no integrated encryption for ZFS in SmartOS that would allow something like the following to happen: zfs create -o encryption=on rpool/export/somthing Can encryption be used with ZFS at all on SmartOS? I see some examples of creating encrypted block devices in OpenIndiana but I am not sure how this is helpful in a general sense on SmartOS since my disk space is all allocated during the initial installation of SmartOS. smartos-discuss | Archives | Modify Your Subscription ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/26967883-1315225c Modify Your Subscription: https://www.listbox.com/member/?&; Powered by Listbox: http://www.listbox.com smartos-discuss | Archives | Modify Your Subscription smartos-discuss | Archives | Modify Your Subscription smartos-discuss | Archives | Modify Your Subscription -- Gea smartos-discuss | Archives | Modify Your Subscription ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
