I''ve never used ZFS encryption. How does it work? Do you need to type in a pre-boot password? And if so, how do you do that with a server? Or does it use TPM or something similar, to avoid the need for a pre-boot password? Thanks... -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20120216/3f90c1cc/attachment.html>
On Thu, February 16, 2012 09:55, Edward Ned Harvey wrote:> I''ve never used ZFS encryption. How does it work? Do you need to type in > a pre-boot password? And if so, how do you do that with a server? Or does > it use TPM or something similar, to avoid the need for a pre-boot password?Darren Moffat put up some good posts when the code was initially introduced: https://blogs.oracle.com/darren/en_GB/tags/zfs https://blogs.oracle.com/darren/en_GB/tags/crypto I don''t believe encrypting the root volume is currently supported, so pre-boot stuff doesn''t apply. (Please correct if I''m wrong here.)
> From: David Magda [mailto:dmagda at ee.ryerson.ca] > Sent: Thursday, February 16, 2012 10:35 AM > > On Thu, February 16, 2012 09:55, Edward Ned Harvey wrote: > > I''ve never used ZFS encryption. How does it work? Do you need to typein> > a pre-boot password? And if so, how do you do that with a server? Or > does > > it use TPM or something similar, to avoid the need for a pre-boot > password? > > Darren Moffat put up some good posts when the code was initially > introduced: > > https://blogs.oracle.com/darren/en_GB/tags/zfs > https://blogs.oracle.com/darren/en_GB/tags/crypto > > I don''t believe encrypting the root volume is currently supported, so > pre-boot stuff doesn''t apply. (Please correct if I''m wrong here.)Very nice. Thanks.
On 02/16/12 15:35, David Magda wrote:> On Thu, February 16, 2012 09:55, Edward Ned Harvey wrote: >> I''ve never used ZFS encryption. How does it work? Do you need to type in >> a pre-boot password? And if so, how do you do that with a server? Or does >> it use TPM or something similar, to avoid the need for a pre-boot password? > > Darren Moffat put up some good posts when the code was initially introduced: > > https://blogs.oracle.com/darren/en_GB/tags/zfs > https://blogs.oracle.com/darren/en_GB/tags/crypto > > I don''t believe encrypting the root volume is currently supported, so > pre-boot stuff doesn''t apply. (Please correct if I''m wrong here.)That is correct you can''t currently encrypt the root/boot file system. This is because neither OBP or GRUB 0.97 have any knowledge of ZFS encrypted file systems and how to get keys for them. GRUB2 has support for encrypted ZFS file systems already. -- Darren J Moffat
> From: Darren J Moffat [mailto:darrenm at opensolaris.org] > Sent: Monday, February 20, 2012 12:46 PM > > GRUB2 has support > for encrypted ZFS file systems already.I assume this requires a pre-boot password, right? Then I have two questions... I noticed in solaris 11, when you "init 6" it doesn''t reboot the way other OSes reboot. So maybe "init 6" will not need you to type in a password again? Maybe you just need a passsword one time when you power on? If you have to enter password at every reboot, of course, it lends some bias toward using that encryption solution only for laptops, where there''s guaranteed to be a user present. It''s not quite mutually exclusive with servers, but a strong bias away from being used on servers.
On 02/21/12 13:27, Edward Ned Harvey wrote:>> From: Darren J Moffat [mailto:darrenm at opensolaris.org] >> Sent: Monday, February 20, 2012 12:46 PM >> >> GRUB2 has support >> for encrypted ZFS file systems already. > > I assume this requires a pre-boot password, right? Then I have two > questions...The ZFS encryption support in GRUB2 was written by the main GRUB2 developer and doesn''t use any Solaris ZFS encryption code. The GRUB2 code has support for interactive prompting for the passphrase or for reading the passphrase or raw wrapping key from a file in some other filesystem that GRUB2 can see. Solaris 11 doesn''t have GRUB2 at this time it uses GRUB 0.97 which does not have encryption support. You can''t put the two parts together because the Solaris 11 kernel doesn''t know how to mount an encrypted root filesystem even though GRUB2 could have loaded the kernel and boot_archive from one if you managed to craft together a GRUB2 and Solaris 11 system on your own.> I noticed in solaris 11, when you "init 6" it doesn''t reboot the way other > OSes reboot.What you are seeing is "Fast Reboot" where on x86 we completely avoid the trip back through the BIOS and the boot loader it just loads and rexecute the kernel directly. The situation on SPARC is similar but not identical. > So maybe "init 6" will not need you to type in a password> again? Maybe you just need a passsword one time when you power on?Solaris 11 doesn''t have support for encrypted root at all at this time. Doesn''t mater if Fast Reboot is in use or not. -- Darren J Moffat