On Mon, 2005-11-28 at 17:36, Tobias Oberstein wrote: > Is it correct that running a non-global zone on top of encrypted lofi will > not encrypt the containers' swap activity? IOW: full encryption of all data > of a non-global container will only arrive with encrypted ZFS's?
Not it is not necessarily correct. The xlofi project has changes to the swap commands so that they can also be setup to be on encrypted lofi devices using an random key generated at swapadd time. Zones don't have their own swap space (at this time) anyway they get swap from the global zone because there is only one large (protected) VM space. We do not yet have any specific plans in place for ZFS/swap and crypto but the plan is that the ZFS crypto will be able to be used with zvols as well so if you were to swap on a zvol then you would get the same effect as swapping on a encrypted lofi device. Note however that BOTH of these solutions suffer from a common problem, you an no longer use your swap device for crash dumps (because it would be encrypted with an unknown key :-)). -- Darren J Moffat
