In that case you must use application layer encryption. You cannot rely upon the OS since keying material passed via the OS may be in the hands of the admin. If you are using client devices you should encrypt at the device not at the server.
Sent from my iPhone > On Mar 15, 2015, at 1:27 PM, Günther Alka via smartos-discuss > <[email protected]> wrote: > > Edward Snowden shows us that > > - you must care about your data. always, everywhere > - must not allow any admin to see your data > - must use end to end encryption (do not trust your provider, you need a > personal key) > - you cannot lock out NSA & Co, but most others (and NSA needs a lot of > efforts if any data is end-user encrypted) > - any effort is better than the current „all is open" > > even if you simply care about some business/private data without any criminal > background > > >> >> IMNSHO, relying on the filesystem to encrypt data is far inferior to >> encrypting >> at the application. If you have something worth hiding, do not rely on >> cleartext >> at any infrastructure level. The guvmint routinely shows how they've already >> compromised those things we use to build infrastructure. >> -- richard >> >>> >>> This is important for everything especially to cloud storage. >>> Transport encryption is worthless if the data on a server is open and not >>> encrypted in a way that only a single end-user can access/encrypt data with >>> a user-key not the server admin. Any current ZFS encryption is worthless in >>> this sense as you unlock data on bootup and then its open for every admin >>> or server process. >>> >>> In this case, as SmartOS is intended for cloud-use I hope that there will >>> come something in the future that gives us this level of security at a >>> end-user level. >>> >>> >>> Gea >>> >>> >>> >>>> On 15.03.2015 05:22, Jonathan Paget via smartos-discuss wrote: >>>> I forgot about lofi >>>> >>>> zones/$UUID--lofi-backend0 ---> /dev/$UUID--lofi-device0 >>>> >>>> vmadm get $UUID | json disks | grep zfs_filesystem >>>> zfs_filesystem": "zones/$UUID--lofi-device0" >>>> >>>> or something like the above >>>> >>>> >>>> >>>>> On Sat, Mar 14, 2015 at 5:11 PM, Richard Elling >>>>> <[email protected]> wrote: >>>>> >>>>>> On Mar 14, 2015, at 2:08 PM, Jonathan Paget via smartos-discuss >>>>>> <[email protected]> wrote: >>>>>> >>>>>> >> Are there any encryption options? >>>>>> >>>>>> Your only real option is for a KVM guest to use encryption inside a Zone >>>>>> (CentOS and Ubuntu offer encryption at their install screens). Some >>>>>> people use ZVOLs as back-ends for FreeBSD's GELI on FreeBSD, or use GELI >>>>>> to encrypt the underlying vdevs of their zpool, but FreeBSD Jails aren't >>>>>> anywhere near a complete alternative to zones. >>>>> >>>>> lofi on SmartOS, managed with the lofiadm command. There would be some >>>>> assembly required, but shouldn't need any new code. >>>>> -- richard >>>>> >>>>>> >>>>>> If you need to run Windows guests, you could probably find a way to >>>>>> PXE-boot them off of iSCSI targets (running in another Zone) that have >>>>>> encrypted back-ends or just have them use Samba to access encrypted >>>>>> volumes. >>>>>> >>>>>> >>>>>> Yes I understand everything I typed above is very ugly. I would really >>>>>> like to see encrypted added to the illumos/ZFS or OpenZFS feature set, >>>>>> would do it myself if I currently held the necessary skillset. >>>>>> >>>>>> >>>>>>> On Sat, Mar 14, 2015 at 2:00 PM, George Linn via smartos-discuss >>>>>>> <[email protected]> wrote: >>>>>>> Are there any encryption options? Specifically if the SmartOS >>>>>>> installation is used primarily for hosting Zones. Could sleep better >>>>>>> knowing that if my machine was physically compromised my data would be >>>>>>> a bit more difficult to access. >>>>>>> >>>>>>> From: Brian Bennett via smartos-discuss >>>>>>> <[email protected]> >>>>>>> To: [email protected]; George Linn >>>>>>> <[email protected]> >>>>>>> Sent: Saturday, March 14, 2015 4:29 PM >>>>>>> Subject: Re: [smartos-discuss] ZFS encryption >>>>>>> >>>>>>> ZFS encryption was integrated into Solaris 11 after OpenSolaris updates >>>>>>> stopped. That's not to say it couldn't be added, but it hasn't been a >>>>>>> priority so far. >>>>>>> >>>>>>> -- >>>>>>> Brian Bennett >>>>>>> Systems Engineer, Cloud Operations, Joyent, Inc. >>>>>>> 655 Montgomery St., Suite 1600 | San Francisco | California | 94111 >>>>>>> [email protected] | www.joyent.com >>>>>>> office 415-400-0645 | mobile 619-663-IPv6 >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Mar 14, 2015, at 11:17 AM, George Linn via smartos-discuss >>>>>>>> <[email protected]> wrote: >>>>>>>> >>>>>>>> After some searching, it seems that there is no integrated encryption >>>>>>>> for ZFS in SmartOS that would allow something like the following to >>>>>>>> happen: >>>>>>>> >>>>>>>> zfs create -o encryption=on rpool/export/somthing >>>>>>>> >>>>>>>> Can encryption be used with ZFS at all on SmartOS? I see some >>>>>>>> examples of creating encrypted block devices in OpenIndiana but I am >>>>>>>> not sure how this is helpful in a general sense on SmartOS since my >>>>>>>> disk space is all allocated during the initial installation of SmartOS. >>>>>>>> >>>>>>>> >>>>>>>> smartos-discuss | Archives | Modify Your Subscription >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------- >>>>>>> smartos-discuss >>>>>>> Archives: https://www.listbox.com/member/archive/184463/=now >>>>>>> RSS Feed: >>>>>>> https://www.listbox.com/member/archive/rss/184463/26967883-1315225c >>>>>>> Modify Your Subscription: https://www.listbox.com/member/?&; >>>>>>> Powered by Listbox: http://www.listbox.com >>>>>>> >>>>>>> >>>>>>> smartos-discuss | Archives | Modify Your Subscription >>>>>> >>>>>> smartos-discuss | Archives | Modify Your Subscription >>>> >>>> smartos-discuss | Archives | Modify Your Subscription >>> >>> >>> -- >>> Gea >>> >>> smartos-discuss | Archives | Modify Your Subscription >> >> smartos-discuss | Archives | Modify Your Subscription > > smartos-discuss | Archives | Modify Your Subscription ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
