By Darren Moffat-Oracle on May 10, 2011
As some readers might remember from previous posts it isn't possible in Solaris 11 Express to boot from an encrypted ZFS dataset. However it is possible to have encrypted swap space and thus (by default) an encrypted /tmp. That still leaves /var/tmp unencrypted
First lets look at swap space encryption. That is as simple as putting the word "encrypted" into the mount options field of /etc/vfstab for the swap ZVOL. If swap is a ZVOL then ZFS encryption will be used, if swap is a raw disk slice or file then lofi will be interposed between the device/file using a randomly generated key. That is a fully supported solution in Solaris 11 Express implemented by the swapadd command.
For encrypting /var/tmp we need to beyond the provided services and the following (unsupported) method takes its lead from what I did for swapadd and applies it to /var/tmp. Note however that this assumes that nothing in /var/tmp should be preserved on boot and won't even be readable from another boot environment, so if you use this don't put stuff into /var/tmp you want to get access to after a reboot.
This takes advantage of the fact that in SMF we can place dependencies onto other services without modifying them. So while the following makes some basic assumptions about the Solaris ZFS datasets layout it doesn't require modifying any existing binaries or configuration files.
We create a new service svc:/site/system/filesystem/tmp:default this service will create an encrypted dataset for /var/tmp using the manifest and method script that follows:
<?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- CDDL HEADER START The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] CDDL HEADER END Copyright (c) 2011, Oracle and/or its affiliates. All rights revserved. --> <service_bundle type='manifest' name='darrenm:etmp'> <service name='site/system/filesystem/tmp' type='service' version='1'> <create_default_instance enabled='true' /> <single_instance /> <dependency name='cryptosvc' grouping='require_all' type='service' restart_on='none'> <service_fmri value='svc:/system/cryptosvc' /> </dependency> <dependent name='var-tmp' grouping='optional_all' restart_on='none'> <service_fmri value='svc:/system/filesystem/minimal' /> </dependent> <exec_method type='method' name='start' exec='/lib/svc/method/site-etmp' timeout_seconds='30' /> <exec_method type='method' name='stop' exec=':true' timeout_seconds='1' /> <property_group name='startd' type='framework'> <propval name='duration' type='astring' value='transient' /> </property_group> </service> </service_bundle>
#!/usr/sbin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. # # /lib/svc/method/site-etmp zfs destroy rpool/tmp > /dev/null 2>&1 zfs create -o mountpoint=/var/tmp -o encryption=on -o keysource=raw,file:///dev/random rpool/tmp chmod 1777 /var/tmp exit 0
On reboot what will happen is that a new dataset for /var/tmp will be created. It would be possible to have a more sophisticated method script that doesn't use a hardcoded dataset name of root/tmp but this seems sufficient for now. It will look something like this:
darrenm-pc:pts/1$ cd /var/tmp darrenm-pc:pts/1$ df -hl . Filesystem Size Used Available Capacity Mounted on rpool/tmp 113G 79K 77G 1% /var/tmp darrenm-pc:pts/1$ ls -ld . drwxrwxrwt 5 root root 5 May 10 14:39 ./ darrenm-pc:pts/1$ zfs get encryption,keysource,keystatus rpool/tmp NAME PROPERTY VALUE SOURCE rpool/tmp encryption on local rpool/tmp keysource raw,file:///dev/random local rpool/tmp keystatus available -