ZFS Crypto Update
By Darren Moffat-Oracle on Apr 03, 2009
I think I have everything from the "new world order" implemented now. Most of it is even working!
Now 1404 lines smaller and much more functional!
Summary of changes:
- IV now always in BP
- Macros for IV and MAC in BP
- Keys now in MOS ZAP objects as a keychain rather a property
- PROP_TYPE_BINARY removed
- clones can have own key for unique data
- clones can get new wrapping key at 'zfs clone' time.
- keyscope and all zpool changes gone
- keysource value and actual wrapping key inherited
- No longer encrypting dnode bonusbufs (waiting on SA code)
- Big code cleanup from the above changes.
I'm not done yet, now the big debugging session begins!To finish is key change currently it works only for single dataset. Code is written for all inheriting that wrapping key but not yet working.
The test suites also need updating and some other features like 'rename' and 'promote' haven't been unit tested yet.Update:
"English Translation", thats a tough one since the things Jim asked for a translation have no other reasonable names since they are either crypto or ZFS terms and what I was referring to is a very low level implementation detail that won't be at all visible to anyone other than a ZFS developer. However they are things that enable other features such as: "pool device removal", "better secured delete for clones".
- BP = Block Pointer
- IV = Initialisation Vector
- MAC = Message Authentication Code
- MOS = Meta Object Set
For the schedule part see the zfs-crypto project page