[OpenIndiana-discuss] self encrypting disks

Sašo Kiselkov skiselkov.ml at gmail.com
Mon Feb 11 23:11:30 UTC 2013 

On 02/11/2013 11:51 PM, Marion Hakanson wrote:
> richard.elling at richardelling.com said:
>> Soon, many, if not all, HDDs will be shipped as self encrypting. AFAIK, there
>> is no OI project for managing the keys, however. I'm interested to  know what
>> the demand for these tools might be.
>>  -- richard 
> 
> Hi Richard,
> 
> We have over 100 such disks (Seagate drives in Dell MD1200 enclosures)
> running on Solaris-10 and OpenIndiana servers (mostly the latter).  Being
> able to turn on the drives' encryption would be useful to us, both for
> meeting potential requirements from "above", and for saving the cost of
> the "keep your hard drive" add-on to our Dell service contracts.
> 
> BTW, some encryption requirements I'm aware of include the need for some
> kind of centralized reporting functionality.  I.e. without that in place,
> the data isn't considered to be encrypted.

Encryption is something that's been lately on my mind a lot
(specifically in relation to ZFS). Encrypting a bunch of data is simple
- in ZFS, all you need to do is define a new transform, encrypt the data
and then alloc a few bytes in the block pointer to hold the key ID (and
put the wrapped key in some hidden ZFS dataset property, or some other
place).

That's not the problem. The problem is: who's managing the encryption
keys (or passphrases) and how. The real kudos to Oracle (and Darren J.
Moffat in particular) for ZFS encryption is for integrating this well
into the userland tools.

Doing this for self-encrypting drives would be, well, non-trivial to say
the least. You'd probably need to do at least the following:

1) Teach the sd/scsi layer to recognize such drives and hold back any
   reads and writes while the drive is encrypted.

2) Teach some higher-level stuff (e.g. ZFS) to talk to the underlying
   storage to discover such drives (you wouldn't want a "zpool import"
   to lock up waiting while you manually unlock every drive in the
   system).

3) Integrate some userland framework that would fetch keys/passphrases
   from secure storage (either from a removable USB token or perhaps
   even over the net) whenever that's needed.

Encryption isn't simply a switch you flip that then magically protects
you. Doing it right takes a lot of careful thought and even then you may
not catch all corner cases (e.g. even Oracle's ZFS encryption doesn't
support encrypting root pools).

Anyway, just my thoughts on the matter.

--
Saso

More information about the OpenIndiana-discuss mailing list