OpenSolaris

1. Project: ZFS on disk encryption support
   1. Announcements
   2. Blogs
   3. Discussions
   4. Leaders
   5. Observers
   6. Files
   7. Phase 1
      1. IV Generation
      2. Encryption Cipher Modes
      3. Using KCF
      4. Encryption by DMU Object Type
      5. Phase 1 Alpha Release Notes
      6. libzfs API additions
      7. CLI
      8. L2ARC Encryption
   8. Project Plan
   9. Design Review
   10. Phase 1 Codereview

OpenSolaris Project: ZFS on disk encryption support

View the leaders for this project
Project Observers

Endorsing communities

NFS
Networking
OS/Net (ON)
Security
Storage
Testing
ZFS

What are we doing ?

This project will provide on disk encryption/decryption support for ZFS datasets. The project will cover the addition of encryption and decryption to the ZFS IO pipeline and the key management for ZFS datasets.

It will deliver in multiple phases to support different key management strategies including one which provides support for secure deletion based on encrypted datasets.

Documentation

• Phase 1 Design Doc
• Overview Presentation
• Project Plan

Current Status

Phase 1 implementation

Implementation: In progress source code in Mercurial repository:

$ hg clone ssh://hg.opensolaris.org/hg/zfs-crypto/gate myworkingcopy

Alpha release of Phase 1 made on October 1st 2007.

See the Project Plan page for more details.

Phased Delivery

Phase 1

• Per dataset policy for enabling encryption, including algorithm and key length.
• Per dataset keys wrapped by single per pool key
• Per dataset keys wrapped by a dataset level key
• Pool/Dataset key from passphrase using PKCS#5 PBE
• Pool/Dataset key in file as raw bits or in hex

Announcements

03 Jul 2008	Demo at LOSUG
04 Oct 2007	x86 Alpha bfu released
30 May 2006	First Crypt!
22 Feb 2006	Opening day

Blogs

darren - Worst (and Best) keyboards

May 9, 1:11 PM

Seems like for some reason I didn't actually post this when I wrote it on Jan 10th 2008, so I'll post it now I've just read over the PC World "10 Worst Keyboards of all time" article . Out of the 10 ...

darren - Missing Apple Mac hardware

May 9, 1:10 PM

My current home machine is a first generation (ordered the day after the announcement) PPC Mac Mini. I initially ordered it with 512Mb RAM and no WiFi or Bluetooth. It has since been upgraded to 1G ...

darren - Simple CLI based CA on Solaris

Apr 30, 7:25 AM

With the recently added ability to sign PKCS#10 certificate request files the pktool(1) command of OpenSolaris can be used as a very simple Certificate Authority, similar to what can be done with the ...

darren - Mercurial Links

Feb 19, 7:21 AM

A few hopefully helpful links for OpenSolaris /JDK developers in the transition to mercurial (hg). Distributed revision control with Mercurial: http://hgbook.red-bean.com/hgbook.html Genunix.org Wiki ...

darren - isaexec(1) as a shell script

Feb 4, 5:08 AM

/usr/lib/isaexec is often used to provide automatic selection of a 32 vs 64 bit binary, however it can actually do much more than that it can pick between sparcv8+vis and sparcv8 for example. What it ...