Ulrich Graef wrote:
According: ZFS encryption
Will it be possible to have an encrypted root pool?
We don't encrypt pools, we encrypt datasets. This is the same as what
is done for compression.
It will be possible in the initial integration to have encrypted
datasets in the root pool. However the bootfs dataset can not be
encrypted nor can /var or /usr if you have split those off into separate
datasets.
Integration with TPM?
Eventually yes. Initially via PKCS#11 and eventually using it to store
the key for an encrypted bootfs. However neither of these are in scope
for the first integration of the ZFS Crypto project. They haven't been
dropped they were never planned for the initial integration.
TPM support in OpenSolaris is quite new (it won't be in the 2009.06
release), we don't yet have TPM support in GRUB and we don't yet have
SPARC TPM support either. To get an encrypted bootfs dataset we need
to also modify GRUB to provide read only support for encrypted datasets.
Doing this for SPARC is much harder - and might require OBP updates.
--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
