In event where disk manufacture starts to ship soon FDE disks what is your plan to support this feature? Here is waht Seagate plan to do http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=dn_sec_intro_fde&vgnextoid=1831bb5f5ed93110VgnVCM100000f5ee0a0aRCRD -- This message posted from opensolaris.org
Jean Dion wrote:> In event where disk manufacture starts to ship soon FDE disks what is your plan to support this feature? > > Here is waht Seagate plan to do > http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=dn_sec_intro_fde&vgnextoid=1831bb5f5ed93110VgnVCM100000f5ee0a0aRCRDThe whole point of disk based FDE is that it doesn''t require support in the filesystem. So I have no plans to change ZFS to support drive based FDE. Note that FDE has some very significant disadvantages compared to ZFS Crypto but also some advantages. I''ll be putting up some articles on my blog (http://blogs.sun.com/darren/) about this soon. -- Darren J Moffat
> The whole point of disk based FDE is that it doesn''t > require support in > the filesystem. So I have no plans to change ZFS to > support drive based > FDE. > > Note that FDE has some very significant disadvantages > compared to ZFS > Crypto but also some advantages. I''ll be putting up > some articles on my > blog (http://blogs.sun.com/darren/) about this soon. > > -- > Darren J MoffatDarren, I don''t see anything on your blog. I''m going to be ordering a new Sun Ultra 27 this week with a 500 GB disk, and intend putting in 4 x 2 TB Hitachi Ultrastar A7K2000 Enterprise grade disks http://www.hitachigst.com/portal/site/en/products/ultrastar/A7K2000/ to give me 4 TB of mirrored disk. These are available with or without encryption. (Hitachi call it Bulk Data Encryption). If asked for a one word answer, would you buy the encrypted disks or not? I intend running ZFS and using the encrypted file system if its available in the 06.2009 release of OpenSolaris. -- This message posted from opensolaris.org
Dr. David Kirkby wrote:>> The whole point of disk based FDE is that it doesn''t >> require support in >> the filesystem. So I have no plans to change ZFS to >> support drive based >> FDE. >> >> Note that FDE has some very significant disadvantages >> compared to ZFS >> Crypto but also some advantages. I''ll be putting up >> some articles on my >> blog (http://blogs.sun.com/darren/) about this soon. >> >> -- >> Darren J Moffat > > Darren, > > I don''t see anything on your blog. I''m going to be ordering a new Sun Ultra 27 this week with a 500 GB disk, and intend putting in 4 x 2 TB Hitachi Ultrastar A7K2000 Enterprise grade disks > > http://www.hitachigst.com/portal/site/en/products/ultrastar/A7K2000/ > > to give me 4 TB of mirrored disk. These are available with or without encryption. (Hitachi call it Bulk Data Encryption). > > If asked for a one word answer, would you buy the encrypted disks or not? I intend running ZFS and using the encrypted file system if its available in the 06.2009 release of OpenSolaris.I can''t give a one word answer to a question like that because I don''t know what your threat model is, what your budget is and how soon you need it. OpenSolaris 2009.06 does not have the ZFS crypto code present because the project hasn''t finished codereview and integration yet. -- Darren J Moffat
> I can''t give a one word answer to a question like > that because I don''t > know what your threat model is, what your budget is > and how soon you > need it. > > OpenSolaris 2009.06 does not have the ZFS crypto code > present because > the project hasn''t finished codereview and > integration yet. > > -- > Darren J MoffatOK, fair enough. * It''s a home computer, I have nothing particularly sensitive on it (no child porn for example), but I''d rather if the Ultra 27 was stolen, someone could not access the data. * I''ve run without disk encryption for years, so it''s not critical I get it today. * I intend buying the disks this week, as I am ordering the Ultra 27 this week and want to put some decent sized disks in it when I get the U27. (I''m buying it with a single 250 GB disk). * I''ve no idea how much the difference in price between these disks with and without encryption is. If it is very significant, then I''d certainly not bother. They are a pretty new disk out, and 99% of Google searches on the model number bring up that ''Hitachi has announced a 2 TB enterprise grade which is shipping now'' But if you try to find these disks which are ''shipping now'', they are like rocking horse dung. http://www.span.com/product_info.php?products_id=27387 claims to have the standard (non-encrypted) models available in 2 days. No mention of the encrypted model. I was particularly keen to use this disk as I believe the Ultra 27''s 1 TB disk is Hitachi A7K1000, and this is the A7K2000 series, which is an improved version. The other option is to buy the older series, with half the capacity at twice the price from Sun. Somehow that does seem too attractive, given the role the computer will have. I suspect based on the above, you are likely to suggest I get the non-encrypted version, but if there would be any advantages of the encrypted version, and I could get them soon at not an excessive price, then I''d do that. Dave -- This message posted from opensolaris.org
I think I''d want something of a track record for any disk offering FDE, so that any additional failure modes or higher failure frequency might be understood. (if the crypto gets hosed, so does your data) -- This message posted from opensolaris.org
Until ZFS encryption is available, is there a way to software encrypt a filesystem? I need unmounted files to be unreadable. I don''t want to encrypt on a file-by-file basis. Mounted files need to be shared with Windows machines. I''m using FreeBSD''s geli and Samba now. Thanks. -- This message posted from opensolaris.org
Difference in price -> just marketing hype (same as crypted USB flashdisks). Many somewhat free OS support crypto and it''s way better then mostly poor implemented crypto in commercial products. So I think it''s better to wait for ZFS crypto. Strongest crypto is in http://www.openbsd.org/cgi-bin/man.cgi?query=softraid&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html , but it depends on you what you will use. Either with OpenSolaris, OpenBSD or Linux or some other BSD you will get better crypto and functionality and for much more lower price. -- This message posted from opensolaris.org