Richard L. Hamilton wrote: > What standards are out there for self-encrypting drives? Are these all SCSI > command > set based drives (SCSI, SAS, FC, hypothetically iSCSI) or are there standards > applicable > to SATA drives as well? > > Would a standards-compliant self-encrypting drive work with any controller > (supporting > the appropriate interface and command set, and supported by the OS), or is > matching > controller support also required? > > What support does Solaris/OpenSolaris have (or might reasonably be > anticipated if > it's not there yet)? How about boot vs non-boot drives?
At this time there is no explicit support for hardware/firmware/controller based drive encryption. We currently assume that the system bios or drive layer deals with all of this if required. > I've got to add space to my home storage farm; the drives I want (Seagate > Constellation ES, > 2TB SAS) may be generally available early next year, and there's a > Self-Encrypting Drive > option available. So I guess I'm really asking if I should bother (assuming > for the moment > that whatever cost difference is minor). There are also other reasons I can > imagine that > encrypted "storage at rest" migh Have you considered using ZFS Crypto when it is available (we are hoping it will be available in the /dev repository very soon after the restricted builds for the next OpenSolaris release are lifted - final codereview starts 19th Jan). ZFS crypto and drive based encryption provide the functionality at a different layer in the storage stack. They have a large overlapping area where both should in my opinion be considered. Especially if you are going to be serving the data out over iSCSI/FCoE/CIFS/NFS anyway. At the present time neither ZFS crypto or drive/controller crypto will integrate with the key management used for protecting the data in transit to the remote client; I do have some early high level designs for how to integrate ZFS Crypto with Kerberos though. It depends what your key management and data encryption needs are. Consider that with drive encryption you very likely have all of the data in a 2TB drive encrypted under a single key. With ZFS crypto you can choose when to switch to using a new wrapping key (the key the user/admin looks after and provides) and a new data encrypton keys. Most drive or volume based systems I'm currently aware of don't give you the key management flexibility that ZFS crypto will do. > be of interest, although I make a point of not speaking > on anyone else's behalf here. Right now, I'm not mainly thinking about > laptops and such, > although I wouldn't exclude that (although I gather they'd probably need a > TPM module > and support for same to complement the self-encrypting storage). One of the nice things about doing the encryption at the ZFS layer is that the same solution works for single disk laptop/workstations as works for a system comprised of hundreds of disks. It also doesn't tie you to a single hardware vendor. -- Darren J Moffat
