OpenSolaris

1. Project: ZFS on disk encryption support
   1. Announcements
   2. Blogs
   3. Discussions
   4. Leaders
   5. Observers
   6. Files
   7. Phase 1
      1. IV Generation
      2. Encryption Cipher Modes
      3. Using KCF
      4. Encryption by DMU Object Type
      5. Phase 1 Alpha Release Notes
      6. libzfs API additions
      7. CLI
      8. L2ARC Encryption
      9. Test Plan
      10. Test Assertions
   8. Project Plan
   9. Design Review
   10. Phase 1 Codereview

OpenSolaris Project: ZFS on disk encryption support

View the leaders for this project
Project Observers

Endorsing communities

NFS
OS/Net (ON)
Security
Storage
Testing
ZFS

Status

Original feature set complete April 2008.

Integration Target: Q4CY09

Why have we changed schedule ?

There are some other planned features of ZFS that were not started at the time the ZFS Crypto design was previously finalised. It has since been discovered that some these could be incompatible with the original design for dataset encryption. We wish to ensure that crypto is compatible with the following ZFS features when integrate (which may be before or after the crypto)

• BP rewriter: Specifically for (non mirror) device removal
• Deduplication
• send/recv enhancements

We have also decided to simplify the admin model for encryption since there was some aspects that weren't fully in the ZFS model. It was also discovered that the functionality of a pool wide wrapping key can be achieved using per dataset wrapping keys if normal ZFS property inheritance is obeyed. This leads to the following changes:

• removing the keyscope distinction: no pool wide key all keying is per dataset
• Wrapping key inherited when keysource property is inherited

We have also added one additional feature:

• Clones can choose to have new data encryption key from origin. This allows for secured delete of clone branches independently from each other.

Last onnv-gate resync: onnv_108

Getting the source

Implementation: In progress source code in Mercurial repository:

$ hg clone ssh://hg.opensolaris.org/hg/zfs-crypto/gate myworkingcopy

Webrev against onnv-gate

Need really up to the second status ?

Follow darrenmoffat on Twitter and look for tweets starting with zfs-crypto.

What are we doing ?

This project will provide on disk encryption/decryption support for ZFS datasets. The project will cover the addition of encryption and decryption to the ZFS IO pipeline and the key management for ZFS datasets.

It will support different key management strategies by allowing scripting of the zfs(1) command for key load/unload/change and an API in libzfs.

Documentation

• Original Phase 1 Design Doc
• Overview Presentation
• Project Plan

Logging Bugs:

Bugs are tracked in Bugster: development/zfs/ with zfs-crypto keyword.

See the Project Plan page for more details.

Features

• Per dataset policy for enabling encryption, including algorithm and key length.
• Per dataset data encryption keys wrapped by a dataset level key
  • Inherited when keyscope property is inherited
• Dataset wrapping key from passphrase using PKCS#5 PBE
• Dataset wrapping key in file/stdin as raw bits or in hex
• Encrypted swap via encrypted ZVOL
• NO support for encrypted boot filesystem
• NO support for encrypted dump ZVOL

Futures

• Encrypted ZVOL dump devices
• Wrapping keys in PKCS#11 keystore, eg SCA-6000, TPM, Smartcard
• PAM module for user home directory with per dataset keying.

Announcements

03 Jul 2008	Demo at LOSUG
04 Oct 2007	x86 Alpha bfu released
30 May 2006	First Crypt!
22 Feb 2006	Opening day

Blogs

darren - printf should not SEGV when passed NULL for %s format

Jun 24, 10:14 AM

darren - Encrypting ZFS pools using lofi crypto

Jun 1, 3:00 AM

I'm running OpenSolaris 2009.06 on my laptop, soon I'll be running my own development bits of ZFS Crypto but I couldn't do that because OpenSolaris 2009.06 is based on build 111 but the ZFS crypto ...

darren - Running Privileged Applications in the OpenSolaris GNOME Desktop

Apr 8, 5:30 AM

gksu(1) says:      This manual page documents briefly gksu and gksudo      gksu is a frontend to su and gksudo is a frontend  to  sudo.      Their primary purpose is to run graphical commands that ...

darren - ZFS Crypto Update

Apr 2, 12:02 PM

I think I have everything from the "new world order" implemented now. Most of it is even working! Now 1404 lines smaller and much more functional! Summary of changes: IV now always in BP acros for IV ...

izick - Bugs the bite: C_WrapKey returnning CKR_MECHANISM_INVALID

Mar 2, 10:14 PM

Recently there was a case where an application used C_WrapKey() with an RSA key pair, on a Niagara-based system running Solaris 10, and the return code was CKR_MECHANISM_INVALID. Since RSA is ...