[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ZFS Crypto key hand off to kernel

From: Darren J Moffat
Subject: Re: ZFS Crypto key hand off to kernel
Date: Fri, 13 Jan 2012 14:27:09 +0000
User-agent: Mozilla/5.0 (X11; SunOS i86pc; rv:8.0) Gecko/20111202 Thunderbird/8.0

On 01/13/12 14:17, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
Is this something that would be of interest for GRUB2 ? If so I'll
look at developing the spec update and a patch for GRUB2 to support it
for the zfs crypto support.

That would be most welcome. The main issues are:
1) What to consider a key? IMHO it should be the master key, and not
password or session key.

Agreed, it is really helpful that GRUB2 has already done the PKCS#5 PBE transform in the case of a ZFS encrypted dataset. So there is no need to give the passphrase to the kernel when you can give the real key.

Also it wouldn't actually be useful in the case of ZFS encryption for GRUB2 to hand off the list of actual data encryption keys all we need is the key encryption key (aka master key, aka wrapping key).

2) How to match keys to actual devices? I think it should be UUID for
LUKS and POOLUUID+FSNAME for ZFS, or perhaps just POOLUUD.

I need to brush up on LUKS it has been a while since I looked at it but that sounds correct to me.

For ZFS I think it might be enough to give the dataset name but I like the idea of passing the POOL GUID as well. If I had both I would certainly use them.

3) GRUB may have some keys without knowing which pool/fs it's used for.
They should be marked as such.

I must be missing something here, how could that happen in the ZFS case? Or do you mean in general ?

Darren J Moffat

reply via email to

[Prev in Thread] Current Thread [Next in Thread]