I'm planning on storing the per data set encryption keys on the disk with the dataset in a wrapped form. They would be wrapped either with a symetric key or an asymetric key. I don't want to store these as properties since you won't be manipulating them via 'zfs set', plus they are significantly larger in size than any of the existing properties.
A master (effectively per pool for the inital phase) key would then be stored either in hardware (such as the SCA-6000 or a TPM) or be a passphrase that is entered by hand (and passed through PKCS#5 PBE to generate the master symetric key). See the udpated draft design document at [1] some for more details I'm looking for some hints on what APIs in ZFS I should be using to store the wrapped keys and what structures I should be hanging them off of. I need to be able to "lookup" these wrapped keys using a zbookmark_t while in the ZIO pipeline. My initial thought was using *dsl_dataset_phys_t* however that doesn't have sufficient space so it may be better to store a "pointer" there to some external object. [1] http://opensolaris.org/os/project/zfs-crypto/files/zfs-crypto.pdf -- Darren J Moffat
