News, tips, partners, and perspectives for the Oracle Solaris operating system

ZFS Crypto Update

Darren Moffat
Senior Software Architect

I think I have everything from the "new world order" implemented now. Most of it is even working!

Now 1404 lines smaller and much more functional!

Summary of changes:

  • IV now always in BP
  • Macros for IV and MAC in BP
  • Keys now in MOS ZAP objects as a keychain rather a property
  • PROP_TYPE_BINARY removed
  • clones can have own key for unique data
  • clones can get new wrapping key at 'zfs clone' time.
  • keyscope and all zpool changes gone
  • keysource value and actual wrapping key inherited
  • No longer encrypting dnode bonusbufs (waiting on SA code)
  • Big code cleanup from the above changes.

I'm not done yet, now the big debugging session begins!

To finish is key change currently it works only for single dataset. Code is
written for all inheriting that wrapping key but not yet working.

The test suites also need updating and some other features like 'rename' and 'promote' haven't
been unit tested yet.


"English Translation", thats a tough one since the things Jim asked for a translation have no other reasonable names since they are either crypto or ZFS terms and what I was referring to is a very low level implementation detail that won't be at all visible to anyone other than a ZFS developer. However they are things that enable other features such as: "pool device removal", "better secured delete for clones".

For the schedule part see the zfs-crypto project page

Join the discussion

Comments ( 3 )
  • Glynn Foster Thursday, April 2, 2009

    Woohoo! </cheerlead>

  • Jim Laurent Thursday, April 2, 2009


    Please translate to English for those who are not kernel hackers:

    "new world order"

    Most of it is even working! (But when will it show up in Nevada or OpenSolaris)

    # IV now always in BP

    # acros for IV and MAC in BP


    # Keys now in MOS keychain object rather a property


  • Jonas Thursday, April 2, 2009

    So when can we expect integration into sxce?

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.