Re: [OpenIndiana-discuss] What encryption options are available? [b 151_9]

[Al Slater]

On 26/08/2014 15:31, Harry Putnam wrote:

Bob Friesenhahn <bfrie...@simple.dallas.tx.us> writes:

On Tue, 26 Aug 2014, Harry Putnam wrote:

Hopefully I've gotten it all wrong.
I'd hoped for something as simple as `encfs', then read that encryption
was now built into zfs.  But then it appears not to be so for oi?

Zfs encryption is for the data stored on disk and is not 'file'
level. Regardless, it is not provided for OpenIndiana.  FreeBSD has an
encryption layer which can be used on devices underneath zfs.

Can anyone spell out what is available to use on OI 151_9 in the way
of really basic encryption?

I'm basically only looking for something that would baffle script
kiddies.  I don't expect to be attacked by serious players.

If you want to protect individual files you could install and use pgp.

The problem with so-called "script kiddies" is that usually such
scripts are run from within the cone of trust so they have access to
decrypted data.  If the filesystem automatically decrypts the data for
the applications (the normal case for an encrypting filesystem), then
a script running on that filesystem is able to use it.

Thanks for the good info.
Maybe I should provide a description of what I want to do.

With encfs... which I've used on other os's until now, works like this:

Create a password protected container then whatever you put in it is
encrypted.

I keep only things like uid and passwords for the dozens of things one
collects over time, and bits of info I'd rather not share.  Nothing too
drastic.  But I guess UID and Passwd would be enough to drain my bank
account of all 50 bucks ... hehe.

What I do is (manually )open the containter when I need something
which is usually like once/twice per day or so, then close the
container. So basically it stays encrypted most of the time.

There is no automatic application access involved.

So, I guess a script kiddie would have to first hack my host, then
hack my UID/Passwd, and then hack the passwd on the encrypted
container.

As it is now, even root does not have access to the container without
the passwd.

So, all and all, I guess I'm looking for something that works along
those lines.

How about a lofi encrypted zvol?

https://blogs.oracle.com/darren/entry/encrypting_zfs_pools_using_lofi


--
Al Slater




_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss