[OpenIndiana-discuss] What encryption options are available? [b 151_9]

Al Slater al.slater at scluk.com
Tue Aug 26 14:35:01 UTC 2014 

On 26/08/2014 15:31, Harry Putnam wrote:
> Bob Friesenhahn <bfriesen at simple.dallas.tx.us> writes:
>
>> On Tue, 26 Aug 2014, Harry Putnam wrote:
>>>
>>> Hopefully I've gotten it all wrong.
>>> I'd hoped for something as simple as `encfs', then read that encryption
>>> was now built into zfs.  But then it appears not to be so for oi?
>>
>> Zfs encryption is for the data stored on disk and is not 'file'
>> level. Regardless, it is not provided for OpenIndiana.  FreeBSD has an
>> encryption layer which can be used on devices underneath zfs.
>>
>>> Can anyone spell out what is available to use on OI 151_9 in the way
>>> of really basic encryption?
>>>
>>> I'm basically only looking for something that would baffle script
>>> kiddies.  I don't expect to be attacked by serious players.
>>
>> If you want to protect individual files you could install and use pgp.
>>
>> The problem with so-called "script kiddies" is that usually such
>> scripts are run from within the cone of trust so they have access to
>> decrypted data.  If the filesystem automatically decrypts the data for
>> the applications (the normal case for an encrypting filesystem), then
>> a script running on that filesystem is able to use it.
>
> Thanks for the good info.
> Maybe I should provide a description of what I want to do.
>
> With encfs... which I've used on other os's until now, works like this:
>
> Create a password protected container then whatever you put in it is
> encrypted.
>
> I keep only things like uid and passwords for the dozens of things one
> collects over time, and bits of info I'd rather not share.  Nothing too
> drastic.  But I guess UID and Passwd would be enough to drain my bank
> account of all 50 bucks ... hehe.
>
> What I do is (manually )open the containter when I need something
> which is usually like once/twice per day or so, then close the
> container. So basically it stays encrypted most of the time.
>
> There is no automatic application access involved.
>
> So, I guess a script kiddie would have to first hack my host, then
> hack my UID/Passwd, and then hack the passwd on the encrypted
> container.
>
> As it is now, even root does not have access to the container without
> the passwd.
>
> So, all and all, I guess I'm looking for something that works along
> those lines.

How about a lofi encrypted zvol?

https://blogs.oracle.com/darren/entry/encrypting_zfs_pools_using_lofi


-- 
Al Slater

More information about the openindiana-discuss mailing list