search for: keyscope

http://defect.opensolaris.org/bz/show_bug.cgi?id=971 Summary: zfs key -l fails after unloading (keyscope=dataset) Classification: Development Product: zfs-crypto Version: unspecified Platform: Other OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: other AssignedTo: darrenm at opensolaris...

http://defect.opensolaris.org/bz/show_bug.cgi?id=782 Summary: zfs keysource=raw fails with keyscope=dataset when file doesn''t exist Classification: Development Product: zfs-crypto Version: unspecified Platform: Other OS/Version: Solaris Status: NEW Severity: minor Priority: P4 Compone...

...l_dataset_t* during dmu_objset_create_sync() but by the time we are later mounting the dataset we have a different in memory dsl_dataset_t* referring to the same dataset. This causes me a big issue with per dataset provided encryption keys, but not with a per pool provided encryption key. When keyscope=dataset we pass the key value used as the wrapping key down over the ioctl as part of the dataset creation. This makes its way via dmu_objset_create_sync() to dsl_crypto_key_gen() which generates the actual encryption key and wraps it using the key that came over the ioctl, it then stores the...

...mmediately before return: 107 blen = 0; ------------------------------------------------------------------ usr/src/lib/libzfs/common/libzfs_crypto.c.html get_passphrase() DEA-6: typos for Retrieve and restrictions: 1105 /* Retreive the source value for the current keyscope */ 1353 * keysource changes have no restictions. DEA-7: hexadecimal is misspelled twice in this function (this is user-visible, not a comment): 176 gettext("Enter new hexadecmial key for"), 180 gettext("Enter hexadecmi...

...normal Priority: P3 Component: other AssignedTo: darrenm at opensolaris.org ReportedBy: hua.tang at sun.com QAContact: hua.tang at sun.com CC: zfs-crypto-discuss at opensolaris.org Estimated Hours: 0.0 # zfs create -o encryption=on -o keyscope=dataset -o keysource=hex,prompt tank/fs3 Enter hexadecmial key for ''tank/fs3'': (Enter: 9adf6ac44655ccc414a5e9197a34c52731f5fe08d9191a7cd3811ab6f69f1078) Enter again: (Enter: 9adf6ac44655ccc414a5e9197a34c52731f5fe08d9191a7cd3811ab6f69f10789adf6ac44655ccc414a5e9197a34c52731f5fe08d9...

...nent: other AssignedTo: darrenm at opensolaris.org ReportedBy: hua.tang at sun.com QAContact: hua.tang at sun.com CC: zfs-crypto-discuss at opensolaris.org Estimated Hours: 0.0 build: zfs-crypto-gate-2008-05-15-12:38 It hangs on encrypted datasets with keyscope=dataset as well as keyscope=pool. # zpool create -f test /export/home/testfile_2 # zfs create -o keysource=raw,file:///export/home/raw_key_file -o encryption=on -o keyscope=dataset test/fs # zfs destroy test/fs # zpool create -f test /export/home/testfile_2 # zpool set keysource=passphrase,prompt...

Anthony Scarpino wrote (elsewhere): > While writing up the man page.. I thought of a few things that I was > wondering if you considered.. > > Can an encrypted dataset (keytype=dataset) reside in a non-encrypted (no > kek defined) pool? I can see a case for and against allowing this when considering it purely at the feature level as users/admins see things. The admin can

Anthony Scarpino wrote (elsewhere): > While writing up the man page.. I thought of a few things that I was > wondering if you considered.. > > Can an encrypted dataset (keytype=dataset) reside in a non-encrypted (no > kek defined) pool? I can see a case for and against allowing this when considering it purely at the feature level as users/admins see things. The admin can

...-crypto-discuss at opensolaris.org Estimated Hours: 0.0 Msg| 105731 | 6: Testing ''zfs create'' with keysource=passphrase,file:///export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/et c/blank_file Msg| 105731 | stdout| 105731| /usr/sbin/zfs create -o encryption=on -o keyscope=dataset -o keysource=passphrase,file:///export/home/zfscryp to-tests/proto/suites/security/zfs-crypto/etc/blank_file zfscrypto_reserved_pool/zone_fs/fs stderr| /export/home/zfscrypto-tests/proto/suites/security/zfs-crypto/tests/cli/zfs_create_005[52]: 105801 Segmentation Fault(coredump) s...

...tory: /hg/zfs-crypto/gate Latest revision: 4c9597e1e4e9b6cbd6c20be06f0cdf9c409d3629 Total changesets: 1 Log message: 885 dataset creation panics if pool keystatus not ''available''. 360 check for key on creation should be in dmu_objset_create_check() 782 zfs keysource=raw fails with keyscope=dataset when file doesn''t exist Files: update: usr/src/lib/libzfs/common/libzfs_crypto.c update: usr/src/lib/libzfs/common/libzfs_dataset.c update: usr/src/uts/common/fs/zfs/dmu_objset.c update: usr/src/uts/common/fs/zfs/sys/zio_crypt.h update: usr/src/uts/common/fs/zfs/zio_crypt.c

...ReportedBy: hua.tang at sun.com QAContact: hua.tang at sun.com CC: zfs-crypto-discuss at opensolaris.org Estimated Hours: 0.0 build: zfs-crypto-gate-2008-05-23-18:05 # zpool create -f test /export/home/testfile # zfs create -o keysource=raw,file:///no_file -o keyscope=dataset -o encryption=on test/fs panic info: panic[cpu0]/thread=2a100a67ca0: assertion failed: 0 == dsl_crypto_key_gen(ds, zct, cr, tx), file: ../../common/fs/zfs/dmu_objset.c, line: 628 000002a100a675a0 genunix:assfail+78 (7b3036a0, 7b3031a8, 274, 1853800, 1361000, 0) %l0-3: 0000030004e520c0...

.../bin/expect /export/home/zfscrypto-tests/proto/suites/securi ty/zfs-crypto/lib/zfs_create.exp /usr/sbin/z fs pool_21582 fs on hex,prompt 9adf6ac44655ccc414a5e9197a34c52731f5fe08d9191a7c d3811ab6f69f1078 stdout| 21582| spawn /usr/sbin/zfs create -o encryption=on -o keyscope=dataset -o keysource=hex,prompt pool_21582/fs^M stdout| Enter hexadecmial key for ''pool_21582/fs'': ^M^M stdout| Enter again: ^M^M stdout| 21582| /usr/sbin/zfs allow zfsc keychange pool_21582/fs stdout| 21582| /bin/su zfsc -c "/usr/sbin/zfs key -c -o keysource=hex,file:///e xp...