Log-in |

Status

Original feature set complete April 2008. Revised feature set complete May 2009

Integration Target: Q1CY10

Why have we changed schedule ?

There are some other planned features of ZFS that were not started at the time the ZFS Crypto design was previously finalised.  It has since been discovered that some these could be incompatible with the original design for dataset encryption.  We wish to ensure that crypto is compatible with the following ZFS features when integrate (which may be before or after the crypto)

  • BP rewriter:  Specifically for (non mirror) device removal
  • Deduplication
  • send/recv enhancements

We have also decided to simplify the admin model for encryption since there was some aspects that weren't fully in the ZFS model.  It was also discovered that the functionality of a pool wide wrapping key can be achieved using per dataset wrapping keys if normal ZFS property inheritance is obeyed. This leads to the following changes:

  • removing the keyscope distinction: no pool wide key all keying is per dataset
  • Wrapping key inherited when keysource property is inherited

We have also added one additional feature:

  • Clones can choose to have new data encryption key from origin. This allows for secured delete of clone branches independently from each other.

Last onnv-gate resync: onnv_126

Need really up to the second status ?

Follow darrenmoffat on Twitter and look for tweets in the #zfs tag group.

What are we doing ?

This project will provide on disk encryption/decryption support
for ZFS datasets.  The project will cover the addition of encryption
and decryption to the ZFS IO pipeline and the key management for
ZFS datasets.

It will support different key management strategies by allowing scripting of the zfs(1) command for key load/unload/change and an API in libzfs.

Documentation

Logging Bugs:

Bugs are tracked in Bugster: development/zfs/  with zfs-crypto keyword.

See the Project Plan page for more details.

Features

  • Per dataset policy for enabling encryption, including algorithm and key length.
  • Per dataset data encryption keys wrapped by a dataset level key
  • Inherited when keyscope property is inherited
  • Dataset wrapping key from passphrase using PKCS#5 PBE
  • Dataset wrapping key in file/stdin as raw bits or in hex
  • Encrypted swap via encrypted ZVOL
  • NO support for encrypted boot filesystem
  • NO support for encrypted dump ZVOL

Futures

  • Encrypted ZVOL dump devices
  • Wrapping keys in PKCS#11 keystore, eg SCA-6000, TPM, Smartcard
  • PAM module for user home directory with per dataset keying. (Currently implemented but not included in ARC reviewed content).
last modified by darrenm on 2009/11/16 15:21
 
Collectives
Project

Subsites
Code Reviews
Code Repositories
Package Search
Bugster
Bugzilla
Test Machines
Planet
Mailing Lists
Elections & Polls
ARC Case Logs
Source Juicer
Package Factory
User Authentication
Project zfs-crypto Pages

ZFS on disk encryption support

© Sun Microsystems Inc. 2009
XWiki Enterprise 1.8.2.19075 - Documentation
Terms Of Use | Privacy | Trademarks | Copyright Policy | Site Guidelines | Site map | Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.