OpenSolaris

1. Project: ZFS on disk encryption support
   1. Announcements
   2. Blogs
   3. Discussions
   4. Leaders
   5. Observers
   6. Files
   7. Phase 1
      1. IV Generation
      2. Encryption Cipher Modes
      3. Using KCF
      4. Encryption by DMU Object Type
      5. Phase 1 Alpha Release Notes
      6. libzfs API additions
      7. CLI
      8. L2ARC Encryption
      9. Test Plan
      10. Test Assertions
   8. Project Plan
   9. Design Review
   10. Phase 1 Codereview

OpenSolaris Project: ZFS on disk encryption support

View the leaders for this project
Project Observers

Endorsing communities

NFS
Networking
OS/Net (ON)
Security
Storage
Testing
ZFS

Status

Feature complete April 2008.

Integration Target: snv_109

Last onnv-gate resync: onnv_103

Getting the source

Implementation: In progress source code in Mercurial repository:

$ hg clone ssh://hg.opensolaris.org/hg/zfs-crypto/gate myworkingcopy

Webrev against onnv-gate

Need really up to the second status ?

Follow darrenmoffat on Twitter and look for tweets starting with zfs-crypto.

What are we doing ?

This project will provide on disk encryption/decryption support for ZFS datasets. The project will cover the addition of encryption and decryption to the ZFS IO pipeline and the key management for ZFS datasets.

It will deliver in multiple phases to support different key management strategies including one which provides support for secure deletion based on encrypted datasets.

Documentation

• Phase 1 Design Doc
• Overview Presentation
• Project Plan

Logging Bugs:

Bugs are tracked in Bugster: development/zfs/ with zfs-crypto keyword.

See the Project Plan page for more details.

Phased Delivery

Phase 1

• Per dataset policy for enabling encryption, including algorithm and key length.
• Per dataset keys wrapped by single per pool key
• Per dataset keys wrapped by a dataset level key
• Pool/Dataset key from passphrase using PKCS#5 PBE
• Pool/Dataset key in file/stdin as raw bits or in hex
• Encrypted swap via encrypted ZVOL
• NO support for encrypted boot filesystem
• NO support for encrypted dump ZVOL (phase 2)

Phase 2 (Proposed only TBC)

• Encrypted ZVOL dump devices
• Wrapping keys in PKCS#11 keystore, eg SCA-6000
• Data encryption keys as sensitive session objects in PKCS#11 keystore MUST have a kernel driver and hardware keystore such as SCA-6000
• PAM module for user home directory with per dataset keying.

Announcements

03 Jul 2008	Demo at LOSUG
04 Oct 2007	x86 Alpha bfu released
30 May 2006	First Crypt!
22 Feb 2006	Opening day

Blogs

darren - OpenSolaris "disk" encryption in snv_105

Dec 17, 5:09 PM

lofi(7D) encryption The encryption part of the OpenSolaris lofi compression & encryption project integrated into snv_105. I initially started this as a proof of concept several years ago but it never ...

izick - Ubuntu/OpenSolaris/FreeBSD crypto benchmark misses the mark

Nov 26, 3:16 PM

The recent posting of the Ubuntu vs OpenSolaris vs FreeBSD comparison is interesting.. OpenSolaris isn't that far off, but is it a true measure? I'm sure everyone will nitpick their results rightly ...

izick - Userland platform-specific crypto is here: libsoftcrypto

Nov 26, 1:27 PM

In what was literally years in the making, the Crypto Framework's userland provider "softtoken" now has a platform-specific library, called libsoftcrypto. This breaks out symmetric crypto and bignum ...

darren - ZFS Crypto update

Nov 1, 7:39 AM

It is been a little while since I gave an update on the status of the ZFS Crypto project. A lot has happened recently and I've been really "heads down" writing code. We had believed we were ...

darren - Lets have a game of "Spot The Difference" (Serious Firefox 3 Security UI Issue)

Sep 8, 10:45 AM

Remember back to when you were much younger and you had puzzle books for travel journeys, or maybe just because you liked puzzles, one of the puzzles you probably played was "spot the difference", ...