I remember being told more than a year ago that support for encryption is planned for ZFS, but that there were no plans for full disk encryption. Microsoft has now set the bar for FDE support in the OS, including even TPM integration for automatic detection of offline tampering of the disk. It''s simple set-and-forget encryption, and has become an indispensible part of my laptop security. With laptops being a target platform for Solaris, and the main competing OS now supporting FDE, has there been any change of plans regarding this? This message posted from opensolaris.org
Andrew wrote:> I remember being told more than a year ago that support for encryption is> lanned for ZFS, but that there were no plans for full disk encryption. > Microsoft has now set the bar for FDE support in the OS, including even > TPM integration for automatic detection of offline tampering of the disk. > It''s simple set-and-forget encryption, and has become an indispensible part > of my laptop security. With laptops being a target platform for Solaris, > and the main competing OS now supporting FDE, has there been any > change of plans regarding this? It looks like you are talking about BitLocker in Vista. BitLocker is NOT full disk encryption - the only "real" way to do full disk encryption is doing it in hardware. BitLocker only deals with the boot loader (for TPM integration) and the fdisk partitions that Vista is using. At least thats what I was told directly by one of the engineers that worked on the project when I talked to him about it at RSA Europe last year, it is possible either I''m remembering wrongly or things changed before Vista was released. The ZFS crypto project plans to deliver in multiple phases and will be using the cryptographic framework already in OpenSolaris. Integration with the TPM (for systems that have one) will come in time but we are dependent on other OpenSolaris projects to provide some basic infrastructure first. Exactly why do you believe that ZFS crypto won''t give you the equivalent functionality ? Once we have support for encrypted root, and OpenSolaris gains TPM support (http://opensolaris.org/os/project/tpm) we will be able to provide a similar experience but with more flexibility than what BitLocker provides. The other project that you may wish to look at which is probably closer to what BitLocker provides is http://opensolaris.org/os/project/loficc, Moniak (of Belenix) has an encrypted root working with loficc. -- Darren J Moffat
Talking about FDE functionality, I?m trying to "port" the linux concept of dm-crypt (device-mapper crypto target) to solaris/opensolaris. My first approach is to create a LDI driver, for crypt/decrypt, over sd or md drivers, but I don?t know if it is the best solution. Some suggestion? dm-crypt: http://www.saout.de/misc/dm-crypt/ This message posted from opensolaris.org
Rub?n Mur wrote:> Talking about FDE functionality, I?m trying to "port" the linux concept of dm-crypt (device-mapper crypto target) to solaris/opensolaris. > > My first approach is to create a LDI driver, for crypt/decrypt, over sd or md drivers, but I don?t know if it is the best solution. > > Some suggestion?Yep see the loficc project on OpenSolaris and help us out finish it off. It does something very similar to what dm-crypt does. http://opensolaris.org/os/project/loficc/ -- Darren J Moffat
darrenm wrote:> Exactly why do you believe that ZFS crypto won''t give you the equivalent > functionality ? Once we have support for encrypted root,I didn''t know that encrypted root was being worked on. You wrote 16 months ago at http://www.opensolaris.org/jive/message.jspa?messageID=18958 regarding ZFS, "Before anyone asks the one area we have no intention of attempting to implement any time soon is encrypted root file system." I asked, "Is this due solely to the programming effort which would be required, or are there other reasons?" You responded, "It just isn''t part of the first phase. Primarily because we can''t boot from ZFS at all yet. Also because it is partly due to the way the Solaris crypto framework operates. It is also due the the requirement that we be able to support keys in hardware keystores - which require drivers to be loaded before they can be accessed (chicken and egg problem there). Think about it this way, once you can boot from ZFS your root filesystem can be really just be the OS and things like /var/tmp and home dirs etc etc can just be additional ZFS file systems which can be encrypted - swap could even be an encrypted zvol. I''m not saying never, I''m just saying it isn''t a goal for the initial delivery of this because it adds its own complexities and it isn''t a key requirement for the customers that have requested this." So support for encrypted root is planned now? This message posted from opensolaris.org
Andrew wrote:> So support for encrypted root is planned now?Planned yes, but it turns out that ZFS boot wasn''t the only dependency, in fact it isn''t even the most significant one. It still isn''t going to be in the first phase of ZFS crypto that gets delivered. The good news though is that Moniak has a prototype of booting from an encrypted lofi (a bit like dm-crypto or cryptoloop on Linux or File Vault on MacOS X) so that is helping us work through some of the issues. Getting ZFS encrypted root with TPM support is a big job and is mostly dependent on the TPM project. -- Darren J Moffat