Status

Codereview Jan 2010. Original feature set complete April 2008. Revised feature set complete May 2009

Integration Target: Q1CY10

Last onnv-gate resync: onnv_132

Videos

• Interview with Cindy Swearingen
• LISA09 OpenSolaris Security Summit

Need really up to the second status ?

Follow darrenmoffat on Twitter and look for tweets in the #zfs tag group.

What are we doing ?

This project will provide on disk encryption/decryption support for ZFS datasets.  The project will cover the addition of encryption and decryption to the ZFS IO pipeline and the key management for ZFS datasets.

It will support different key management strategies by allowing scripting of the zfs(1) command for key load/unload/change and an API in libzfs.

Documentation

• Original Phase 1 Design Doc
• Overview Presentation
• Project Plan

Logging Bugs:

Bugs are tracked in Bugster: development/zfs/  with zfs-crypto keyword.

See the Project Plan page for more details.

Features

• Per dataset policy for enabling encryption, including algorithm and key length.
• Per dataset data encryption keys wrapped by a dataset level key
• Inherited when keyscope property is inherited
• Dataset wrapping key from passphrase using PKCS#5 PBE
• Dataset wrapping key in file/stdin as raw bits or in hex
• Encrypted swap via encrypted ZVOL
• Support for encrypted dump ZVOL
• NO support for encrypted boot filesystem

Futures

• PAM module for user home directory with per dataset keying. (Currently implemented but not included in ARC reviewed content).
• Wrapping keys in PKCS#11 keystore, eg SCA-6000, TPM, Smartcard