.de Sc
\\s-1\\$1\\s0\\$2
..
.ds cA 2007/261
.ds aR \s-1PSARC\s0
.LP
.so ../../amac
.Co
.ds LF \fI\*(aR/\*(cA\fP
.ds RF \fICopyright 2008 Sun Microsystems\fP
.if n .ds CF
.IP \fBSubject:\fP 15
ZFS Encrypted Datasets
.IP "\fBSubmitted by:\fP" 15
Darren Moffat
.IP \fBFile:\fP 15
\*(aR/\*(cA/opinion.ms
.IP \fBDate:\fP 15
February 6, 2008
.IP "\fBCommittee:\fP" 15
Darren Moffat (opinion written by Garrett D'Amore),
Kais Belgaied,
Mark Carlson,
Joseph Kowalski,
Glenn Skinner.
.IP "\fBProduct Approval Committee:\fP" 15

Solaris PAC
.br
solaris-pac-opinion@sun.com

.pn 2
.NH
Summary
.LP
ZFS Encrypted Datasets is a project to provide cryptographic security to ZFS 
datasets.  Specifically, it is intended to protect against theft of
physical storage, man-in-the-middle attacks on the SAN, and to provide
dataset level secured deletion.  Data is encrypted at the data set level,
allowing a mix
of encrypted and unencrypted data in the same ZFS storage pool.  The ZFS
command-line and graphical user interfaces will be updated accordingly.
.NH
Decision & Precedence Information
.LP
The project is approved as specified in reference [1].
.LP
The project may be delivered in a patch release of the ON consolidation.
.LP
The project depends on the following other project and may not be delivered
before it.
.RS
.IP \*(aR/2007/266
AES CCM for kernel crypto framework
.RE
.NH
Interfaces
.LP
The project exports the following interfaces.
.if n .ne 8
.if t .ne 3
.TS H
box;
c s s
l | l | l.
Interfaces Exported
_
Interface	Classification	Comments
_
.TH
encryption	Committed	Dataset property
sha256+ccm	Committed	Dataset checksum property value
keyscope	Committed	Dataset property
keysource	Committed	Dataset/pool property
keystatus	Committed	Dataset/pool property
zfs key	Committed	ZFS dataset key command
zpool key	Committed	ZFS pool key command
.TE
.LP
The project imports the following interfaces.
.if n .ne 8
.if t .ne 3
.TS H
box;
c s s
l | l | l.
Interfaces Imported
_
Interface	Classification	Comments
_
.TH
Kernel Cryptographic subsystem	Consolidation Private	PSARC 2001/533

.TE
.NH
Opinion
.LP
.NH 2
Encrypted swap.
.LP
The project team noted that encryption of a dataset used for swap was possible,
but suffers from several security limitations which prevent it from being
fully secure.  The project team recommended that a project be funded to
investigate resolving these limitations, involving both the memory subsystem
and the security teams.
.NH 2
Documentation of key compromise
.LP
During discussion, it was noted that documentation covering policy
and procedures for handling of various forms of key compromise was
required.  The project team indicated that it plans to update the 
System Administration guide to cover this, but one member noted that
it would be desirable to include at least a reference to the guide
in the zfs and/or zpool manual pages.
.NH
Minority Opinion(s)
.LP
None.
.NH
Advisory Information
.LP
A project to investigate properly securing swap using cryptography
should be funded, involving both the security and virtual memory
teams.
.NH
Appendices
.NH 2
Appendix A: Technical Changes Required
.LP
None.
.NH 2
Appendix B: Technical Changes Advised
.LP
None.
.NH 2
Appendix C: Reference Material
.LP
Unless stated otherwise, path names are relative to the case
directory \*(aR/\*(cA.
.IP 1.
One pager
.br
File: 20070509_darren.moffat
.IP 2.
Design document
.br
File: commitment.materials/zfs-crypto-design.pdf
.IP 3.
Updated zfs manual page
.br
File: commitment.materials/zfs.1m
.IP 4.
Updated zpool manual page
.br
File: commitment.materials/zpool.1m
.IP 5.
Command line examples
.br
File: commitment.materials/cli-examples.txt
.IP 6.
Notes from commitment review
.br
File: 20080206.2007.261.commitment
.IP 7.
OpenSolaris Project web page
.br
URL: http://opensolaris.org/os/project/zfs-crypto/