On 16/04/18 09:23, Alasdair Lumsden wrote: > Hi All, > > Just a quick one. I spotted that Tom Caputi committed his amazing ZFS > encryption work into the ZFSOnLinux github tree back in August. Since > then there have been a few follow up stability commits: > > https://github.com/zfsonlinux/zfs/commits/master/lib/libzfs/libzfs_crypto.c > > I wondered if Joyent had any intention of importing this work into > SmartOS, and integrating encryption into the toolchain, for example with > regards to vmadm and Triton? >
Yes, we do intend to pull this in as soon as it's merged in OpenZFS. There are still some outstanding reports of issues there and a full in-depth review pending. The on-disk format change late last year didn't increase confidence, either, so we're being cautious. It's important to note that ZoL have not yet made a *release* with encryption support (it's only in master), and their standards of testing and assurance for releases are most similar to what we require for "master" on our repos today. We intend to integrate this into the stack as much as we can, and RFD77 has more details: https://github.com/joyent/rfd/blob/master/rfd/0077/README.adoc Basically our recommendation is going to be to use hardware tokens (Yubikeys or other PIV-compatible USB tokens) to store the keys to unlock the on-disk encryption. This allows unattended booting to be a possibility, unlike with passphrase-based keys. We also have a detailed proposal in there for how recovery will work in the event of a hardware token failure. ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
