[zfs-discuss] Encryption through compression?

Thu, 12 Mar 2009 01:40:55 -0700 

Hello everyone,
My understanding is that the ZFS crypto framework will not release until 2010. In light of that, I'm wondering if the following approach to encryption could make sense for some subset of users: 


The idea is to use the compression framework to do both compression and 
encryption in one pass.  This would be done by defining a new compression 
type, which might be called "compress-encrypt" or something like that. 
There could be two levels, one that does both compress and encrypt and 
another that does encrypt only.


I see the following issues with this approach:


1.  ZFS compression framework presently takes compressed data only if there 
was at least 12.5% reduction.  For data that didn't compress, you would wind 
up storing it unencrypted, even if encryption was on.



2.  Meta-data would not be encrypted.  I.e., even if you don't have the key, 
you will be able to do directory listings and see file names, etc.


3.  There is no key management framework.

I would deal with these as follows:


Issue #1 can be solved by changing ZFS code such that it always accepts the 
"compressed" data.  I guess this is an easy change.


Issue #2 may be a limitation to some and feature to others.  May be OK.


Issue #3 can be solved using encryption hardware (which my company happens 
to make).  The keys are stored in hardware and can be used directly from 
that.  Of course, this means that the solution will be specific to our 
hardware, but that's fine by me.



The idea is that we would do this project on our own and supply this 
modified ZFS with our compression/encryption hardware to our customers.  We 
may submit the patch for inclusion in some future version of OS, if the 
developers are amenable to that.



Does anyone see any problems with this?  There are probably various gotchas 
here that I haven't thought of.  If you can think of any, please let me 
know.


Thanks,

Monish
----
Monish Shah
CEO, Indra Networks, Inc.
www.indranetworks.com

_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss






















					Reply via email to