On 11/20/17 04:47 PM, Marc Lobelle wrote:
Yes, this is what I do on solaris where the encrypt option of zfs is
implemented, but it is not yet available on openindiana, unfortunately.
Without encryption done before writing (and storing a key elsewhere), no
file system or OS will help you protect your data form reading unused
blocks.
That is particularly true about SSDs where SSD itself is never telling
the truth even to the controller adapter on card/motherboard, how it
does it's internal workings, as fast as possible, but without the direct
control over state of every block on the drive, like it used to be with
Magnetic drives (exept magnetic drives also do blocks remapping too).
SSDs with hardware encryption are the obvious answer for every use.
But on Openindiana you can always use lofiadm to create ZFS volume that
is encrypted and use that as your storage media.
ZFS volumes can be compressed (-o compression=on / gzip9) and sparse
(-s) (getting large as they are filled, not needed for lofi-encryped
volumes),
but it could be envisioned to put another ZFS pool inside ZFS volume
that is encrypted with lofi,
where pool inside the volume would do compression, and lofi on the main
volume would do the encryption.
But yes, it is true that it is easiest to have UFS-formatted ZFS volume
that is encrypted with lofi, if you just need an encryption.
So you have a working solution for encrypted filesystems, till OpenZFS
native encryption lands on illumos officially.
Alternatively, one can organize to have Openindiana-patched illumos with
experimental features on separate openindiana branch, for those wanting
not yet officially landed features. Native OpenZFS encryption from
datto.com, others is much better tech then that in Solaris, btw.
https://openindiana.org/pipermail/openindiana-discuss/2014-August/016314.html
http://open-zfs.org/wiki/OpenZFS_Developer_Summit_2016
https://illumos.topicbox.com/groups/discuss/T39f7d7f0582b8672-Mb7869c77e29b7104e5d5e4fd
Also for example, this is how I create ZFS volume and make it available
over ISCSI:
pfexec zfs create -V 20G -s rpool/iscsi/image1
pfexec sbdadm create-lu rpool/iscsi/image1
sbdadm create-lu /dev/zvol/rdsk/rpool/iscsi/image1
sbdadm list-lu
stmfadm list-lu -v
stmfadm add-view <LU Name>
stmfadm list-view -l <LU Name>
pfexec pkg install iscsi/target
pfexec svcadm enable -r svc:/network/iscsi/target:default
itadm list-target -v
itadm create-target -l alias
(sudo stmfadm offline-target for doing snapshots)
_______________________________________________
openindiana-discuss mailing list
[email protected]
https://openindiana.org/mailman/listinfo/openindiana-discuss
