On 11/17/10 12:04, Miles Nordin wrote:
black-box crypto is snake oil at any level, IMNSHO.
Absolutely.
Congrats again on finishing your project, but every other disk
encryption framework I've seen taken remotely seriously has a detailed
paper describing the algorithm, not just a list of
On Wed, Nov 17, 2010 at 01:58:06PM -0800, Bill Sommerfeld wrote:
On 11/17/10 12:04, Miles Nordin wrote:
black-box crypto is snake oil at any level, IMNSHO.
Absolutely.
As Darren said, much of the design has been discussed in public, and
reviewed by cryptographers. It'd be nicer if we had a
On 17/11/2010 21:58, Bill Sommerfeld wrote:
In particular, the mechanism by which dedup-friendly block IV's are
chosen based on the plaintext needs public scrutiny. Knowing Darren,
it's very likely that he got it right, but in crypto, all the details
matter and if a spec detailed enough to allow
Also, when the IV is stored you can more easily look for accidental IV
re-use, and if you can find hash collisions, them you can even cause IV
re-use (if you can write to the filesystem in question). For GCM IV
re-use is rather fatal (for CCM it's bad, but IIRC not fatal), so I'd
not use GCM with
On 23/11/2010 21:01, StorageConcepts wrote:
r...@solaris11:~# zfs list mypool/secret_received
cannot open 'mypool/secret_received': dataset does
not exist
r...@solaris11:~# zfs send mypool/plaint...@test |
zfs receive -o encryption=on mypool/secret_received
cannot receive: cannot
I just tested crypto a little and I have some send/receive specific questions
about it. It would be great if someone could clarify.
Currently ZFS has no background rewriter. However the fact that ZFS applies
most of the properties and tunables (like dedup or compression) on write time
for all
On 23/11/2010 21:01, StorageConcepts wrote:
r...@solaris11:~# zfs list mypool/secret_received
cannot open 'mypool/secret_received': dataset does not exist
r...@solaris11:~# zfs send mypool/plaint...@test | zfs receive -o encryption=on
mypool/secret_received
cannot receive: cannot override
On 19/11/2010 00:39, David Magda wrote:
On Nov 16, 2010, at 05:09, Darren J Moffat wrote:
Both CCM[1] and GCM[2] are provided so that if one turns out to have
flaws hopefully the other will still be available for use safely even
though they are roughly similar styles of modes.
On systems
The design for ZFS crypto was done in the open via opensolaris.org and
versions of the source (though not the final version at this time) are
available on opensolaris.org.
It was reviewed by internal and external to Sun/Oracle people who have
considerable crypto experience. Important parts
On 17/11/2010 20:04, Miles Nordin wrote:
djm == Darren J Moffatdarr...@opensolaris.org writes:
djm http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle
djm http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset
djm
On 18/11/2010 03:55, grarpamp wrote:
One reason you may want to select aes-128-gcm rather than aes-128-ccm is
that GCM is one of the modes for AES in NSA Suite B[3], but CCM is not.
Are there symmetric algorithms other than AES that are of interest ?
How might AES-XTS [1] be able to fit
zu == zfs user zf...@itsbeen.sent.com writes:
djm == Darren J Moffat darr...@opensolaris.org writes:
zu Ugh, we all know that the first rule of crytpo is that any
zu proprietary, closed source, black-box crypto is crap, blah,
zu blah, blah (I am not sure what the point of repeating
On Thu, 18 Nov 2010, Miles Nordin wrote:
In the unlikely event there was any impediment to your writing, and
releasing, the paper, hopefully my complaining will be one among many
things that helps remove it. Really, it is just mandatory.
Thanks for removing your impediment. The world will be
On Nov 16, 2010, at 05:09, Darren J Moffat wrote:
Both CCM[1] and GCM[2] are provided so that if one turns out to have
flaws hopefully the other will still be available for use safely
even though they are roughly similar styles of modes.
On systems without hardware/cpu support for Galios
On Nov 16, 2010, at 2:03 PM, Rthoreau r7h0...@att.net wrote:
Darren J Moffat darr...@opensolaris.org writes:
On 11/15/10 19:36, David Magda wrote:
Using ZFS encryption support can be as easy as this:
# zfs create -o encryption=on tank/darren
Enter passphrase for
Does Oracle support Solaris 11 Express in production systems?
-- richard
Yes, You need Premier support plan from Oracle for that.
Afaik, sol11 express is production ready, and is going to be updated to real
Solaris 11, and is supported even with non-oracle hardware if you have the
money (and
On Wed, Nov 17, 2010 at 7:34 PM, Richard Elling richard.ell...@gmail.comwrote:
On Nov 16, 2010, at 2:03 PM, Rthoreau r7h0...@att.net wrote:
I just think that some people might need that little
extra nudge that a few graphs and test would provide. If it happens to
also come with a few
On Nov 17, 2010, at 1:57 AM, Tim Cook t...@cook.ms wrote:
On Wed, Nov 17, 2010 at 7:34 PM, Richard Elling richard.ell...@gmail.com
wrote:
On Nov 16, 2010, at 2:03 PM, Rthoreau r7h0...@att.net wrote:
I just think that some people might need that little
extra nudge that a few graphs
On 17/11/2010 10:17, Richard Elling wrote:
I know there are far more apps without support for encryption than
with it. And given the ever more stringent government regulations in
the US, there are plenty of customers chomping at the bit for
encryption at the storage array.
I do not disagree.
On 11/17/2010 2:33 AM, Darren J Moffat wrote:
On 17/11/2010 10:17, Richard Elling wrote:
I know there are far more apps without support for encryption than
with it. And given the ever more stringent government regulations in
the US, there are plenty of customers chomping at the bit for
On 17/11/2010 11:41, Erik Trimble wrote:
There is on one correct solution for where to do encryption just
like there is on one correct way to write files onto persistent media.
Choice is important and sometimes choosing more than one is the
correct thing to do.
I'm assuming you meant no the
On Wed, 17 Nov 2010, Markus Kovero wrote:
Does Oracle support Solaris 11 Express in production systems?
-- richard
Yes, You need Premier support plan from Oracle for that.
Afaik, sol11 express is production ready, and is going to be updated
to real Solaris 11, and is supported even with
On 17/11/2010 14:18, Bob Friesenhahn wrote:
On Wed, 17 Nov 2010, Markus Kovero wrote:
Does Oracle support Solaris 11 Express in production systems?
-- richard
Yes, You need Premier support plan from Oracle for that.
Afaik, sol11 express is production ready, and is going to be updated
to real
On Wed, Nov 17, 2010 at 2:18 PM, Bob Friesenhahn
bfrie...@simple.dallas.tx.us wrote:
Solaris 11 Express may be production ready but is Oracle Premier Support
prepared to support it in production?
Right there on the first page for S11 express on Oracle's web site it says
fully tested and
On Wed, 17 Nov 2010, Peter Tribble wrote:
Solaris 11 Express may be production ready but is Oracle Premier Support
prepared to support it in production?
Right there on the first page for S11 express on Oracle's web site it says
fully tested and supported, and it's reasonably clear that the
The question that has occurred to me is:
I *must* choose one of those support options for how long?
I mean if I buy support for a machine for a year and put S11 Express
in production on it, then I don't renew the support, am I now
violating the license?
That's bogus. I could be wrong but I
djm == Darren J Moffat darr...@opensolaris.org writes:
djm http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle
djm http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset
djm
http://blogs.sun.com/darren/entry/compress_encrypt_checksum_deduplicate_with
Is there
On 11/17/10 12:04 PM, Miles Nordin wrote:
djm == Darren J Moffatdarr...@opensolaris.org writes:
djm http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle
djm http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset
djm
One reason you may want to select aes-128-gcm rather than aes-128-ccm is
that GCM is one of the modes for AES in NSA Suite B[3], but CCM is not.
Are there symmetric algorithms other than AES that are of interest ?
How might AES-XTS [1] be able to fit into the the ZFS picture?
Additionally
On 11/15/10 19:36, David Magda wrote:
On Mon, November 15, 2010 14:14, Darren J Moffat wrote:
Today Oracle Solaris 11 Express was released and is available for
download[1], this release includes on disk encryption support for ZFS.
Using ZFS encryption support can be as easy as this:
#
On Nov 15, 2010, at 14:36, David Magda wrote:
Looking forwarding to playing with it. Some questions:
1. Is it possible to do a 'zfs create -o encryption=off
tank/darren/music' after the above command? I don't much care if my
MP3s
are encrypted. :)
2. Both CCM and GCM modes of operation are
Darren J Moffat darr...@opensolaris.org writes:
On 11/15/10 19:36, David Magda wrote:
Using ZFS encryption support can be as easy as this:
# zfs create -o encryption=on tank/darren
Enter passphrase for 'tank/darren':
Enter again:
2. Both CCM and GCM modes of
Today Oracle Solaris 11 Express was released and is available for
download[1], this release includes on disk encryption support for ZFS.
Using ZFS encryption support can be as easy as this:
# zfs create -o encryption=on tank/darren
Enter passphrase for 'tank/darren':
Enter again:
On Mon, November 15, 2010 14:14, Darren J Moffat wrote:
Today Oracle Solaris 11 Express was released and is available for
download[1], this release includes on disk encryption support for ZFS.
Using ZFS encryption support can be as easy as this:
# zfs create -o encryption=on tank/darren
34 matches
Mail list logo