Vladimir Kotal wrote:> Are there any plans to interconnect zfs-crypt commands with GUI (JDS) ?
This will certainly be possible but isn''t part of the initial
deliverables for the zfs-crypto project.
They way this would be done is likely that on your removable media
card/usb token there would be a software keystore that is managed by
pkcs11_softtoken(5).
> e.g. it would be nice if I can insert CF/SD card into slot in Ferrari and:
> 1. a window will appear prompting for a password
> 2. zfs filesystem will be decrypted and mounted
We won''t actually decrypt the whole file system, that could take a very
long time and a huge a mount of memory :-) But I understand what you
mean is really "provide the key material to the ZFS system to allow
clear text access".
> 3. after (defined) period of inactivity (or screensaver) passphrase will be
forgotten
> and user will be prompted again upon next access ("wake up" from
screensaver)
This is complex and actually "dangerous" unless you actually pstop(1)
all the users processes other than the screensaver then if one of those
processes wakes up (say your email client) and attempts to read or write
to the ZFS filesystem it will get EIO. What the application does when
it gets EIO may not be a good thing with respect to what the user wants.
A much more interesting case is how ZFS crypto will interact with
suspend and resume. That is something on my radar to look at when we
look at using ZFS to have an encrypted root filesystem (which is out of
scope for the first phase).
Thanks for thinking about this, making ZFS and ZFS crypto usable is very
important for its acceptance.
--
Darren J Moffat