Edward Snowden shows us that - you must care about your data. always, everywhere - must not allow any admin to see your data - must use end to end encryption (do not trust your provider, you need a personal key) - you cannot lock out NSA & Co, but most others (and NSA needs a lot of efforts if any data is end-user encrypted) - any effort is better than the current „all is open"
even if you simply care about some business/private data without any criminal background > > IMNSHO, relying on the filesystem to encrypt data is far inferior to > encrypting > at the application. If you have something worth hiding, do not rely on > cleartext > at any infrastructure level. The guvmint routinely shows how they've already > compromised those things we use to build infrastructure. > -- richard > >> >> This is important for everything especially to cloud storage. >> Transport encryption is worthless if the data on a server is open and not >> encrypted in a way that only a single end-user can access/encrypt data with >> a user-key not the server admin. Any current ZFS encryption is worthless in >> this sense as you unlock data on bootup and then its open for every admin or >> server process. >> >> In this case, as SmartOS is intended for cloud-use I hope that there will >> come something in the future that gives us this level of security at a >> end-user level. >> >> >> Gea >> >> >> >> On 15.03.2015 05:22, Jonathan Paget via smartos-discuss wrote: >>> I forgot about lofi >>> >>> zones/$UUID--lofi-backend0 ---> /dev/$UUID--lofi-device0 >>> >>> vmadm get $UUID | json disks | grep zfs_filesystem >>> zfs_filesystem": "zones/$UUID--lofi-device0" >>> >>> or something like the above >>> >>> >>> >>> On Sat, Mar 14, 2015 at 5:11 PM, Richard Elling >>> <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>>> On Mar 14, 2015, at 2:08 PM, Jonathan Paget via smartos-discuss >>>> <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> >> Are there any encryption options? >>>> >>>> Your only real option is for a KVM guest to use encryption inside a Zone >>>> (CentOS and Ubuntu offer encryption at their install screens). Some >>>> people use ZVOLs as back-ends for FreeBSD's GELI on FreeBSD, or use GELI >>>> to encrypt the underlying vdevs of their zpool, but FreeBSD Jails aren't >>>> anywhere near a complete alternative to zones. >>> >>> lofi on SmartOS, managed with the lofiadm command. There would be some >>> assembly required, but shouldn't need any new code. >>> -- richard >>> >>>> >>>> If you need to run Windows guests, you could probably find a way to >>>> PXE-boot them off of iSCSI targets (running in another Zone) that have >>>> encrypted back-ends or just have them use Samba to access encrypted >>>> volumes. >>>> >>>> >>>> Yes I understand everything I typed above is very ugly. I would really >>>> like to see encrypted added to the illumos/ZFS or OpenZFS feature set, >>>> would do it myself if I currently held the necessary skillset. >>>> >>>> >>>> On Sat, Mar 14, 2015 at 2:00 PM, George Linn via smartos-discuss >>>> <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> Are there any encryption options? Specifically if the SmartOS >>>> installation is used primarily for hosting Zones. Could sleep better >>>> knowing that if my machine was physically compromised my data would be a >>>> bit more difficult to access. >>>> >>>> From: Brian Bennett via smartos-discuss <[email protected] >>>> <mailto:[email protected]>> >>>> To: [email protected] >>>> <mailto:[email protected]>; George Linn >>>> <[email protected] <mailto:[email protected]>> >>>> Sent: Saturday, March 14, 2015 4:29 PM >>>> Subject: Re: [smartos-discuss] ZFS encryption >>>> >>>> ZFS encryption was integrated into Solaris 11 after OpenSolaris updates >>>> stopped. That's not to say it couldn't be added, but it hasn't been a >>>> priority so far. >>>> >>>> -- >>>> Brian Bennett >>>> Systems Engineer, Cloud Operations, Joyent, Inc. >>>> 655 Montgomery St., Suite 1600 | San Francisco | California | 94111 >>>> [email protected] <mailto:[email protected]> | >>>> www.joyent.com <http://www.joyent.com/> >>>> office 415-400-0645 <tel:415-400-0645> | mobile 619-663-IPv6 >>>> >>>> >>>> >>>>> On Mar 14, 2015, at 11:17 AM, George Linn via smartos-discuss >>>>> <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> After some searching, it seems that there is no integrated encryption for >>>>> ZFS in SmartOS that would allow something like the following to happen: >>>>> >>>>> zfs create -o encryption=on rpool/export/somthing >>>>> >>>>> Can encryption be used with ZFS at all on SmartOS? I see some examples >>>>> of creating encrypted block devices in OpenIndiana but I am not sure how >>>>> this is helpful in a general sense on SmartOS since my disk space is all >>>>> allocated during the initial installation of SmartOS. >>>>> >>>>> >>>>> smartos-discuss | Archives >>>>> <https://www.listbox.com/member/archive/184463/=now> >>>>> <https://www.listbox.com/member/archive/rss/184463/26986985-d0246faa> | >>>>> Modify <https://www.listbox.com/member/?&;> Your Subscription >>>>> <http://www.listbox.com/> >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------- >>>> smartos-discuss >>>> Archives: https://www.listbox.com/member/archive/184463/=now >>>> <https://www.listbox.com/member/archive/184463/=now> >>>> RSS Feed: >>>> https://www.listbox.com/member/archive/rss/184463/26967883-1315225c >>>> <https://www.listbox.com/member/archive/rss/184463/26967883-1315225c> >>>> Modify Your Subscription: https://www.listbox.com/member/?&; >>>> <https://www.listbox.com/member/?&;> >>>> Powered by Listbox: http://www.listbox.com <http://www.listbox.com/> >>>> >>>> smartos-discuss | Archives >>>> <https://www.listbox.com/member/archive/184463/=now> >>>> <https://www.listbox.com/member/archive/rss/184463/26912851-a47b45cc> | >>>> Modify <https://www.listbox.com/member/?&;> Your Subscription >>>> <http://www.listbox.com/> >>>> smartos-discuss | Archives >>>> <https://www.listbox.com/member/archive/184463/=now> >>>> <https://www.listbox.com/member/archive/rss/184463/21953302-fd56db47> | >>>> Modify <https://www.listbox.com/member/?&;> Your Subscription >>>> <http://www.listbox.com/> >>> >>> smartos-discuss | Archives >>> <https://www.listbox.com/member/archive/184463/=now> >>> <https://www.listbox.com/member/archive/rss/184463/23140977-a7885f8f> | >>> Modify <https://www.listbox.com/member/?&;> Your Subscription >>> <http://www.listbox.com/> >> >> -- >> Gea >> >> smartos-discuss | Archives >> <https://www.listbox.com/member/archive/184463/=now> >> <https://www.listbox.com/member/archive/rss/184463/21953302-fd56db47> | >> Modify <https://www.listbox.com/member/?&;> Your Subscription >> <http://www.listbox.com/> > smartos-discuss | Archives > <https://www.listbox.com/member/archive/184463/=now> > <https://www.listbox.com/member/archive/rss/184463/23140977-a7885f8f> | > Modify <https://www.listbox.com/member/?&;> Your Subscription > <http://www.listbox.com/> ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
