OpenSolaris

1. Project: ZFS on disk encryption support
   1. Announcements
   2. Blogs
   3. Discussions
   4. Leaders
   5. Observers
   6. Files
   7. Phase 1
      1. IV Generation
      2. Encryption Cipher Modes
      3. Using KCF
      4. Encryption by DMU Object Type
      5. Phase 1 Alpha Release Notes
      6. libzfs API additions
      7. CLI
      8. L2ARC Encryption
      9. Test Plan
      10. Test Assertions
   8. Project Plan
   9. Design Review
   10. Phase 1 Codereview

OpenSolaris Project: ZFS on disk encryption support

View the leaders for this project
Project Observers

Endorsing communities

NFS
Networking
OS/Net (ON)
Security
Storage
Testing
ZFS

What are we doing ?

This project will provide on disk encryption/decryption support for ZFS datasets. The project will cover the addition of encryption and decryption to the ZFS IO pipeline and the key management for ZFS datasets.

It will deliver in multiple phases to support different key management strategies including one which provides support for secure deletion based on encrypted datasets.

Documentation

• Phase 1 Design Doc
• Overview Presentation
• Project Plan

Current Status

Phase 1 implementation

Implementation: In progress source code in Mercurial repository:

$ hg clone ssh://hg.opensolaris.org/hg/zfs-crypto/gate myworkingcopy

Alpha release of Phase 1 made on October 1st 2007.

Feature complete (modulo dnode bonusbuf) April 2008.

Integration Target: snv_100

Bugs are tracked in Bugster: development/zfs/ with zfs-crypto keyword.

See the Project Plan page for more details.

Phased Delivery

Phase 1

• Per dataset policy for enabling encryption, including algorithm and key length.
• Per dataset keys wrapped by single per pool key
• Per dataset keys wrapped by a dataset level key
• Pool/Dataset key from passphrase using PKCS#5 PBE
• Pool/Dataset key in file/stdin as raw bits or in hex
• Encrypted swap via encrypted ZVOL
• NO support for encrypted boot filesystem
• NO support for encrypted dump ZVOL (phase 2)

Phase 2 (Proposed only TBC)

• Encrypted ZVOL dump devices
• Wrapping keys in PKCS#11 keystore, eg SCA-6000
• Data encryption keys as sensitive session objects in PKCS#11 keystore MUST have a kernel driver and hardware keystore such as SCA-6000
• PAM module for user home directory with per dataset keying.

Announcements

03 Jul 2008	Demo at LOSUG
04 Oct 2007	x86 Alpha bfu released
30 May 2006	First Crypt!
22 Feb 2006	Opening day

Blogs

darren - A TX window without a label ? Opps ?

Jun 26, 9:37 AM

What is going on here ? Surely that editor window on the right hand side is a problem it doesn't have a sensitivity label on it ? Answer is in the next picture: This was a screenshot of Trusted ...

darren - Role enhancements Proposal

Jun 26, 3:41 AM

Allowing role to same role over network The current implementation of pam_roles has an "allow_remote" module argument that allows the role to be assumed over the network when PAM_AUSER is set. ...

bonwick - ZFS in MacOS X Snow Leopard

Jun 10, 2:54 AM

It's official! Cheers to Noel, Don, Bertrand, and all the great folks at Apple. Now when can I get this in Time Capsule?   :-)

Jun-Hui Paul Duan - 豪快なレイヤー分け違反

Jun 2, 6:24 PM

Andrew Morton が ZFS を 「豪快なレイヤー違反」 と呼んだのは有名ですが、その理由は、ファイルシステムの機能、ボリューム管理、RAID コントローラを統合していることにあります。 違反 という言葉の意味をどう取るかで、解釈が異なると思います。 ZFS の設計に際して、ストレージスタックの標準的なレイヤー分けが、驚くほど大量の無駄手間と冗長な処理を含んでいることを発見しました。 ...

darren - VNC as OpenSolaris 2008.05 console

May 23, 9:46 AM

Changing OpenSolaris 2008.05 to use Xvnc for the default X server rather than Xorg is really simple. OpenSolaris 2008.05 uses GDM as the graphical login manager. GDM starts the X server using ...