This is in fact exactly the approach we are taking at $job - glad to see we aren't alone in this thinking.
Blake > On 15 Mar 2015, at 23:58, Garrett D'Amore via smartos-discuss > <[email protected]> wrote: > > In that case you must use application layer encryption. You cannot rely upon > the OS since keying material passed via the OS may be in the hands of the > admin. If you are using client devices you should encrypt at the device not > at the server. > > Sent from my iPhone > >> On Mar 15, 2015, at 1:27 PM, Günther Alka via smartos-discuss >> <[email protected]> wrote: >> >> Edward Snowden shows us that >> >> - you must care about your data. always, everywhere >> - must not allow any admin to see your data >> - must use end to end encryption (do not trust your provider, you need a >> personal key) >> - you cannot lock out NSA & Co, but most others (and NSA needs a lot of >> efforts if any data is end-user encrypted) >> - any effort is better than the current „all is open" >> >> even if you simply care about some business/private data without any >> criminal background >> >> >>> >>> IMNSHO, relying on the filesystem to encrypt data is far inferior to >>> encrypting >>> at the application. If you have something worth hiding, do not rely on >>> cleartext >>> at any infrastructure level. The guvmint routinely shows how they've >>> already >>> compromised those things we use to build infrastructure. >>> -- richard >>> >>>> >>>> This is important for everything especially to cloud storage. >>>> Transport encryption is worthless if the data on a server is open and not >>>> encrypted in a way that only a single end-user can access/encrypt data >>>> with a user-key not the server admin. Any current ZFS encryption is >>>> worthless in this sense as you unlock data on bootup and then its open for >>>> every admin or server process. >>>> >>>> In this case, as SmartOS is intended for cloud-use I hope that there will >>>> come something in the future that gives us this level of security at a >>>> end-user level. >>>> >>>> >>>> Gea >>>> >>>> >>>> >>>>> On 15.03.2015 05:22, Jonathan Paget via smartos-discuss wrote: >>>>> I forgot about lofi >>>>> >>>>> zones/$UUID--lofi-backend0 ---> /dev/$UUID--lofi-device0 >>>>> >>>>> vmadm get $UUID | json disks | grep zfs_filesystem >>>>> zfs_filesystem": "zones/$UUID--lofi-device0" >>>>> >>>>> or something like the above >>>>> >>>>> >>>>> >>>>>> On Sat, Mar 14, 2015 at 5:11 PM, Richard Elling >>>>>> <[email protected]> wrote: >>>>>> >>>>>>> On Mar 14, 2015, at 2:08 PM, Jonathan Paget via smartos-discuss >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> >> Are there any encryption options? >>>>>>> >>>>>>> Your only real option is for a KVM guest to use encryption inside a >>>>>>> Zone (CentOS and Ubuntu offer encryption at their install screens). >>>>>>> Some people use ZVOLs as back-ends for FreeBSD's GELI on FreeBSD, or >>>>>>> use GELI to encrypt the underlying vdevs of their zpool, but FreeBSD >>>>>>> Jails aren't anywhere near a complete alternative to zones. >>>>>> >>>>>> lofi on SmartOS, managed with the lofiadm command. There would be some >>>>>> assembly required, but shouldn't need any new code. >>>>>> -- richard >>>>>> >>>>>>> >>>>>>> If you need to run Windows guests, you could probably find a way to >>>>>>> PXE-boot them off of iSCSI targets (running in another Zone) that have >>>>>>> encrypted back-ends or just have them use Samba to access encrypted >>>>>>> volumes. >>>>>>> >>>>>>> >>>>>>> Yes I understand everything I typed above is very ugly. I would >>>>>>> really like to see encrypted added to the illumos/ZFS or OpenZFS >>>>>>> feature set, would do it myself if I currently held the necessary >>>>>>> skillset. >>>>>>> >>>>>>> >>>>>>>> On Sat, Mar 14, 2015 at 2:00 PM, George Linn via smartos-discuss >>>>>>>> <[email protected]> wrote: >>>>>>>> Are there any encryption options? Specifically if the SmartOS >>>>>>>> installation is used primarily for hosting Zones. Could sleep better >>>>>>>> knowing that if my machine was physically compromised my data would be >>>>>>>> a bit more difficult to access. >>>>>>>> >>>>>>>> From: Brian Bennett via smartos-discuss >>>>>>>> <[email protected]> >>>>>>>> To: [email protected]; George Linn >>>>>>>> <[email protected]> >>>>>>>> Sent: Saturday, March 14, 2015 4:29 PM >>>>>>>> Subject: Re: [smartos-discuss] ZFS encryption >>>>>>>> >>>>>>>> ZFS encryption was integrated into Solaris 11 after OpenSolaris >>>>>>>> updates stopped. That's not to say it couldn't be added, but it hasn't >>>>>>>> been a priority so far. >>>>>>>> >>>>>>>> -- >>>>>>>> Brian Bennett >>>>>>>> Systems Engineer, Cloud Operations, Joyent, Inc. >>>>>>>> 655 Montgomery St., Suite 1600 | San Francisco | California | 94111 >>>>>>>> [email protected] | www.joyent.com >>>>>>>> office 415-400-0645 | mobile 619-663-IPv6 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Mar 14, 2015, at 11:17 AM, George Linn via smartos-discuss >>>>>>>>> <[email protected]> wrote: >>>>>>>>> >>>>>>>>> After some searching, it seems that there is no integrated encryption >>>>>>>>> for ZFS in SmartOS that would allow something like the following to >>>>>>>>> happen: >>>>>>>>> >>>>>>>>> zfs create -o encryption=on rpool/export/somthing >>>>>>>>> >>>>>>>>> Can encryption be used with ZFS at all on SmartOS? I see some >>>>>>>>> examples of creating encrypted block devices in OpenIndiana but I am >>>>>>>>> not sure how this is helpful in a general sense on SmartOS since my >>>>>>>>> disk space is all allocated during the initial installation of >>>>>>>>> SmartOS. >>>>>>>>> >>>>>>>>> >>>>>>>>> smartos-discuss | Archives | Modify Your Subscription >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------- >>>>>>>> smartos-discuss >>>>>>>> Archives: https://www.listbox.com/member/archive/184463/=now >>>>>>>> RSS Feed: >>>>>>>> https://www.listbox.com/member/archive/rss/184463/26967883-1315225c >>>>>>>> Modify Your Subscription: https://www.listbox.com/member/?&; >>>>>>>> Powered by Listbox: http://www.listbox.com >>>>>>>> >>>>>>>> >>>>>>>> smartos-discuss | Archives | Modify Your Subscription >>>>>>> >>>>>>> smartos-discuss | Archives | Modify Your Subscription >>>>>> >>>>> >>>>> smartos-discuss | Archives | Modify Your Subscription >>>> >>>> >>>> -- >>>> Gea >>>> >>>> smartos-discuss | Archives | Modify Your Subscription >>> >>> smartos-discuss | Archives | Modify Your Subscription >> >> smartos-discuss | Archives | Modify Your Subscription > > smartos-discuss | Archives | Modify Your Subscription ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
