[OpenIndiana-discuss] What encryption options are available? [b 151_9]

James Carlson carlsonj at workingcode.com
Tue Aug 26 20:07:33 UTC 2014


On 08/26/14 15:50, Harry Putnam wrote:
> The author `darren' didn't bother to fill in what all those steps are
> doing.  Maybe not written for my low skill level.

I agree it's non-trivial, but it's not too hard, and it does show off
some interesting features in the OS.  The steps (with "#" in front of
things that must be done with privileges) are:

- Set an environment variable just for convenience so we don't
  have to keep typing that long path over and over.

  export PVOL=rpool/export/home/darrenm/pvol

- Create a 1GB volume

  # zfs create -V 1g $PVOL

- Use pktool to generate an encryption key.  He's using the
  pkcs11 keystore.  You could use a file if you wanted.  See
  the man pages.

  pktool genkey keystore=pkcs11 label=$PVOL keylen=256 keytype=aes

- Create a loopback device that reads and writes the 1GB volume
  described above, and set it up to use the desired encryption
  parameters.  You'd add "-k file" if you used a key file.

  # lofiadm -a /dev/zvol/rdsk/$PVOL -T:::$PVOL -c aes-256-cbc

  If this is the first "lofiadm -a" you've done, it should
  create "/dev/lofi/1" for you as a new device.

- Now create a zpool on top of that loopback device.

  # zpool create darrenm -O canmount=off -O checksum=sha256 \
    -O mountpoint=/export/home/darrenm darrenm /dev/lofi/1

- Change the permissions on the zpool so that the author can
  create, destroy, and mount filesystems inside.

  # zfs allow darrenm create,destroy,mount darrenm

- Now create an overlay mount.  This sets up the path so
  that "~/Documents" contains public stuff, but
  "~/Documents/Private" is hidden.

  zfs create -o canmount=off darrenm/Documents
  zfs create darrenm/Documents/Private

-- 
James Carlson         42.703N 71.076W         <carlsonj at workingcode.com>



More information about the openindiana-discuss mailing list