On 17/11/2010 10:17, Richard Elling wrote:
I know there are far more apps without support for encryption than
with it. And given the ever more stringent government regulations in
the US, there are plenty of customers chomping at the bit for
encryption at the storage array.
I do not disagree. There are many products in the market that
"seamlessly" encrypt data. But, vi has had encryption for almost
30 years, so there is clearly no barrier to app writers. As more
development moves to the cloud, encryption comes almost free
at the app layer. The only thing left is the legacy apps...
Encryption at the application layer solves a different set of problems
to encryption at the storage layer. Just like the encryption in ZFS
solves a different set of problems to full disk encryption in the drive
firmware.
These sets have overlapping regions and depending on security policies
one or more may be the best solution.
As always "encryption" is the "easy" part it is key management that is
hard, because key management enters the real of policy and key
management can be hard to scale out to large numbers of apps.
There is on one "correct" solution for where to do encryption just like
there is on one correct way to write files onto persistent media.
Choice is important and sometimes choosing more than one is the correct
thing to do.
--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
