On 16/04/18 09:23, Alasdair Lumsden wrote:
> Hi All,
> 
> Just a quick one. I spotted that Tom Caputi committed his amazing ZFS
> encryption work into the ZFSOnLinux github tree back in August. Since
> then there have been a few follow up stability commits:
> 
> https://github.com/zfsonlinux/zfs/commits/master/lib/libzfs/libzfs_crypto.c
> 
> I wondered if Joyent had any intention of importing this work into
> SmartOS, and integrating encryption into the toolchain, for example with
> regards to vmadm and Triton?
> 

Yes, we do intend to pull this in as soon as it's merged in OpenZFS.
There are still some outstanding reports of issues there and a full
in-depth review pending. The on-disk format change late last year didn't
increase confidence, either, so we're being cautious. It's important to
note that ZoL have not yet made a *release* with encryption support
(it's only in master), and their standards of testing and assurance for
releases are most similar to what we require for "master" on our repos
today.

We intend to integrate this into the stack as much as we can, and RFD77
has more details:
https://github.com/joyent/rfd/blob/master/rfd/0077/README.adoc

Basically our recommendation is going to be to use hardware tokens
(Yubikeys or other PIV-compatible USB tokens) to store the keys to
unlock the on-disk encryption. This allows unattended booting to be a
possibility, unlike with passphrase-based keys. We also have a detailed
proposal in there for how recovery will work in the event of a hardware
token failure.


-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Reply via email to