[Cryptography] encrypting hard drives (was Re: Shredding a file on a flash-based file system?)
Dan McDonald
danmcd at kebe.com
Thu Jun 19 16:18:18 EDT 2014
On Thu, Jun 19, 2014 at 04:09:12PM -0400, Perry E. Metzger wrote:
<SNIP!>
> If performance is really an issue, I think the real solution is to
> put an AES accelerator into the on-motherboard side of the disk
> controller, and have it completely under the control of the main
> CPU's operating system. Treat the hard drive as hostile, never send
> it any keying material and never send it any unencrypted data, and
> then you don't have to worry about who may have tampered with its
> firmware.
ZFS crypto, closed-source thanks to Oracle, was supposed to address this
problem. Its design was to apply crypto in the "ZIO" path, like it does for
checksums. I've not used Oracle Solaris, but apparently ZFS crypto is in
there and it supposedly works.
And let me state for people wondering, "Why isn't it in OpenZFS already?"
1.) Nobody with appropriate subject matter expertise has customers who are
beating them up for it.
2.) The same people are being beaten up by their customers for other things.
So no paying demand == no ZFS crypto.
Dan
More information about the cryptography
mailing list