Hello, I am new to Solaris. Several PDFs out there suggest any of the following: a) Solaris comes with 128bit encryption (full filesystem) b) Solaris supports full root encryption. Any truth to any of this? The company I work for tis mandating full root encryption. Thanks. -- This message posted from opensolaris.org
On Jul 20, 2009, at 15:54, Roger wrote:> Several PDFs out there suggest any of the following: > a) Solaris comes with 128bit encryption (full filesystem) > b) Solaris supports full root encryption. > > Any truth to any of this? > The company I work for tis mandating full root encryption.Part (a) is in-progress: http://opensolaris.org/os/project/zfs-crypto/ http://opensolaris.org/os/project/zfs-crypto/phase1/ There is some support for encryption with loop-back mounts: http://blogs.sun.com/darren/entry/opensolaris_disk_encryption_in_snv Part (b) has been considered, but there is no ETA AFAIK. Note that this is part of the OpenSolaris project, and not yet integrated in Solaris "proper" at this time. Out of curiosity, what operating system(s) currently support full root encryption?
Roger wrote:> Hello, > > I am new to Solaris. > Several PDFs out there suggest any of the following: > a) Solaris comes with 128bit encryption (full filesystem) > b) Solaris supports full root encryption.Can you send a pointer to these please, because the information is not correct and I would like to try and get it corrected.> Any truth to any of this? > The company I work for tis mandating full root encryption.Why is it mandated, is there no exception process ? It isn''t currently part of the ZFS Crypto project to provide for an encrypted boot (ie root) filesystem. Part of the reason for this is because of the changes needed for GRUB (x86) and OBP (SPARC) and I would rather wait until we move to GRUB2 as somethings will be much easier. For ZFS pools that do not have the boot file system on them you can have all filesystems in the pool encrypted ie: # zpool create -O encryption=on tank c0t0d0s0 Even if you need to boot from a filesystem in the pool you *can* still have the swap ZVOL encrypted. -- Darren J Moffat