Also, when the IV is stored you can more easily look for accidental IV
re-use, and if you can find hash collisions, them you can even cause IV
re-use (if you can write to the filesystem in question). For GCM IV
re-use is rather fatal (for CCM it's bad, but IIRC not fatal), so I'd
not use GCM with
On 17/11/2010 21:58, Bill Sommerfeld wrote:
In particular, the mechanism by which dedup-friendly block IV's are
chosen based on the plaintext needs public scrutiny. Knowing Darren,
it's very likely that he got it right, but in crypto, all the details
matter and if a spec detailed enough to allow
On Wed, Nov 17, 2010 at 01:58:06PM -0800, Bill Sommerfeld wrote:
> On 11/17/10 12:04, Miles Nordin wrote:
> >black-box crypto is snake oil at any level, IMNSHO.
>
> Absolutely.
As Darren said, much of the design has been discussed in public, and
reviewed by cryptographers. It'd be nicer if we ha
On 11/17/10 12:04, Miles Nordin wrote:
black-box crypto is snake oil at any level, IMNSHO.
Absolutely.
Congrats again on finishing your project, but every other disk
encryption framework I've seen taken remotely seriously has a detailed
paper describing the algorithm, not just a list of featu
> On 23/11/2010 21:01, StorageConcepts wrote:
> > r...@solaris11:~# zfs list mypool/secret_received
> > cannot open 'mypool/secret_received': dataset does
> not exist
> > r...@solaris11:~# zfs send mypool/plaint...@test |
> zfs receive -o encryption=on mypool/secret_received
> > cannot receive: can
On 23/11/2010 21:01, StorageConcepts wrote:
r...@solaris11:~# zfs list mypool/secret_received
cannot open 'mypool/secret_received': dataset does not exist
r...@solaris11:~# zfs send mypool/plaint...@test | zfs receive -o encryption=on
mypool/secret_received
cannot receive: cannot override receiv
I just tested crypto a little and I have some send/receive specific questions
about it. It would be great if someone could clarify.
Currently ZFS has no background rewriter. However the fact that ZFS applies
most of the properties and tunables (like dedup or compression) on write time
for all n
The design for ZFS crypto was done in the open via opensolaris.org and
versions of the source (though not the final version at this time) are
available on opensolaris.org.
It was reviewed by internal and external to Sun/Oracle people who have
considerable crypto experience. Important parts of
On 19/11/2010 00:39, David Magda wrote:
On Nov 16, 2010, at 05:09, Darren J Moffat wrote:
Both CCM[1] and GCM[2] are provided so that if one turns out to have
flaws hopefully the other will still be available for use safely even
though they are roughly similar styles of modes.
On systems witho
On Nov 16, 2010, at 05:09, Darren J Moffat wrote:
Both CCM[1] and GCM[2] are provided so that if one turns out to have
flaws hopefully the other will still be available for use safely
even though they are roughly similar styles of modes.
On systems without hardware/cpu support for Galios mu
On Thu, 18 Nov 2010, Miles Nordin wrote:
In the unlikely event there was any impediment to your writing, and
releasing, the paper, hopefully my complaining will be one among many
things that helps remove it. Really, it is just mandatory.
Thanks for removing your impediment. The world will be
> "zu" == zfs user writes:
> "djm" == Darren J Moffat writes:
zu> Ugh, we all know that the first rule of crytpo is that any
zu> proprietary, closed source, "black-box" crypto is crap, blah,
zu> blah, blah (I am not sure what the point of repeating that
zu> tired line is)
On 18/11/2010 03:55, grarpamp wrote:
One reason you may want to select aes-128-gcm rather than aes-128-ccm is
that GCM is one of the modes for AES in NSA Suite B[3], but CCM is not.
Are there symmetric algorithms other than AES that are of interest ?
How might AES-XTS [1] be able to fit into
On 17/11/2010 20:04, Miles Nordin wrote:
"djm" == Darren J Moffat writes:
djm> http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle
djm> http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset
djm>
http://blogs.sun.com/darren/entry/compress_encrypt_checks
> One reason you may want to select aes-128-gcm rather than aes-128-ccm is
> that GCM is one of the modes for AES in NSA Suite B[3], but CCM is not.
> Are there symmetric algorithms other than AES that are of interest ?
How might AES-XTS [1] be able to fit into the the ZFS picture?
Additionally
On 11/17/10 12:04 PM, Miles Nordin wrote:
"djm" == Darren J Moffat writes:
djm> http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle
djm> http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset
djm>
http://blogs.sun.com/darren/entry/compress_encrypt_check
> "djm" == Darren J Moffat writes:
djm> http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle
djm> http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset
djm>
http://blogs.sun.com/darren/entry/compress_encrypt_checksum_deduplicate_with
Is there a URL describi
The question that has occurred to me is:
I *must* choose one of those support options for how long?
I mean if I buy support for a machine for a year and put S11 Express
in production on it, then I don't renew the support, am I now
violating the license?
That's bogus. I could be wrong but I don't
On Wed, 17 Nov 2010, Peter Tribble wrote:
Solaris 11 Express may be "production ready" but is Oracle Premier Support
prepared to support it in production?
Right there on the first page for S11 express on Oracle's web site it says
"fully tested and supported", and it's reasonably clear that the
On Wed, Nov 17, 2010 at 2:18 PM, Bob Friesenhahn
wrote:
>
> Solaris 11 Express may be "production ready" but is Oracle Premier Support
> prepared to support it in production?
Right there on the first page for S11 express on Oracle's web site it says
"fully tested and supported", and it's reasonab
On 17/11/2010 14:18, Bob Friesenhahn wrote:
On Wed, 17 Nov 2010, Markus Kovero wrote:
Does Oracle "support" Solaris 11 Express in production systems?
-- richard
Yes, You need Premier support plan from Oracle for that.
Afaik, sol11 express is production ready, and is going to be updated
to rea
On Wed, 17 Nov 2010, Markus Kovero wrote:
Does Oracle "support" Solaris 11 Express in production systems?
-- richard
Yes, You need Premier support plan from Oracle for that.
Afaik, sol11 express is production ready, and is going to be updated
to real Solaris 11, and is supported even with non
On 17/11/2010 11:41, Erik Trimble wrote:
There is on one "correct" solution for where to do encryption just
like there is on one correct way to write files onto persistent media.
Choice is important and sometimes choosing more than one is the
correct thing to do.
I'm assuming you meant "no" the
On 11/17/2010 2:33 AM, Darren J Moffat wrote:
On 17/11/2010 10:17, Richard Elling wrote:
I know there are far more apps without support for encryption than
with it. And given the ever more stringent government regulations in
the US, there are plenty of customers chomping at the bit for
encryptio
On 17/11/2010 10:17, Richard Elling wrote:
I know there are far more apps without support for encryption than
with it. And given the ever more stringent government regulations in
the US, there are plenty of customers chomping at the bit for
encryption at the storage array.
I do not disagree. Th
On Nov 17, 2010, at 1:57 AM, Tim Cook wrote:
>
>
> On Wed, Nov 17, 2010 at 7:34 PM, Richard Elling
> wrote:
> On Nov 16, 2010, at 2:03 PM, Rthoreau wrote:
>
>
> > I just think that some people might need that little
> > extra nudge that a few graphs and test would provide. If it happens to
On Wed, Nov 17, 2010 at 7:34 PM, Richard Elling wrote:
> On Nov 16, 2010, at 2:03 PM, Rthoreau wrote:
>
>
> > I just think that some people might need that little
> > extra nudge that a few graphs and test would provide. If it happens to
> > also come with a few good practices you could save a lo
> Does Oracle "support" Solaris 11 Express in production systems?
> -- richard
Yes, You need Premier support plan from Oracle for that.
Afaik, sol11 express is production ready, and is going to be updated to real
Solaris 11, and is supported even with non-oracle hardware if you have the
money (a
On Nov 16, 2010, at 2:03 PM, Rthoreau wrote:
> Darren J Moffat writes:
>
>> On 11/15/10 19:36, David Magda wrote:
>>
Using ZFS encryption support can be as easy as this:
# zfs create -o encryption=on tank/darren
Enter passphrase for 'tank/darren':
Enter
Darren J Moffat writes:
> On 11/15/10 19:36, David Magda wrote:
>
>>> Using ZFS encryption support can be as easy as this:
>>>
>>> # zfs create -o encryption=on tank/darren
>>> Enter passphrase for 'tank/darren':
>>> Enter again:
>>
>
>
>> 2. Both CCM and GCM modes of operatio
On Nov 15, 2010, at 14:36, David Magda wrote:
Looking forwarding to playing with it. Some questions:
1. Is it possible to do a 'zfs create -o encryption=off
tank/darren/music' after the above command? I don't much care if my
MP3s
are encrypted. :)
2. Both CCM and GCM modes of operation are s
On 11/15/10 19:36, David Magda wrote:
On Mon, November 15, 2010 14:14, Darren J Moffat wrote:
Today Oracle Solaris 11 Express was released and is available for
download[1], this release includes on disk encryption support for ZFS.
Using ZFS encryption support can be as easy as this:
# zf
On Mon, November 15, 2010 14:14, Darren J Moffat wrote:
> Today Oracle Solaris 11 Express was released and is available for
> download[1], this release includes on disk encryption support for ZFS.
>
> Using ZFS encryption support can be as easy as this:
>
> # zfs create -o encryption=on tank/d
Today Oracle Solaris 11 Express was released and is available for
download[1], this release includes on disk encryption support for ZFS.
Using ZFS encryption support can be as easy as this:
# zfs create -o encryption=on tank/darren
Enter passphrase for 'tank/darren':
Enter again:
34 matches
Mail list logo
