ZFS Encryption as a ZFS property
with a key per filesystem is a feature of Oracle Solaris and an upcoming feature of Open-ZFS
In the light of the upcoming EU ruleset dsgvo that even demands state of the art datasecurity at a technical level, I concentrate to make ZFS encryption (lock/unlock) accessable for end-users without admin access to the storage management GUI (User-Lock/Unlock) and to allow a locking/unlocking based on a timetable ex Auto-UnLock on working days in the morning and Auto-Lock in the evening.
User-Lock/Unlock via SMB and watched folders (working in current napp-it dev)
User-Lock is a new napp-it Pro feature to allow a user to lock/unlock a filesystem without access
to the Storage administration software. For User-Lock/Unlock, you must
- create an encrypted filesystem
- use a file or https based key
- enable User-Lock in ZFS Filesystems >> Encryption
- start the autolock service in menu Services
The service creates a ZFS filesystem "pool"/ UserEncryption with a subfolder per encrypted filesystem.
Enable SMB sharing for this filesystem with a wanted ACL setting for the share and its subfolders
per encrypted filesystems (for userlock enabled filesystems).
Content of these subfolders
Folders: =lock and =unlock
Controlfile: =switcher.move
Statusfile: service-state.xx_yy (xx=service state, yy=lockstate) ex service-state.online_locked
To unlock a filesystem: move the file =switcher.move to the folder =unlock
To lock a filesystem: move the file =switcher.move to the folder =lock
Auto-Lock (todo)
is a Pro feature to automatically lock/unlock a filesystem based on a timetable
with a key per filesystem is a feature of Oracle Solaris and an upcoming feature of Open-ZFS
In the light of the upcoming EU ruleset dsgvo that even demands state of the art datasecurity at a technical level, I concentrate to make ZFS encryption (lock/unlock) accessable for end-users without admin access to the storage management GUI (User-Lock/Unlock) and to allow a locking/unlocking based on a timetable ex Auto-UnLock on working days in the morning and Auto-Lock in the evening.
User-Lock/Unlock via SMB and watched folders (working in current napp-it dev)
User-Lock is a new napp-it Pro feature to allow a user to lock/unlock a filesystem without access
to the Storage administration software. For User-Lock/Unlock, you must
- create an encrypted filesystem
- use a file or https based key
- enable User-Lock in ZFS Filesystems >> Encryption
- start the autolock service in menu Services
The service creates a ZFS filesystem "pool"/ UserEncryption with a subfolder per encrypted filesystem.
Enable SMB sharing for this filesystem with a wanted ACL setting for the share and its subfolders
per encrypted filesystems (for userlock enabled filesystems).
Content of these subfolders
Folders: =lock and =unlock
Controlfile: =switcher.move
Statusfile: service-state.xx_yy (xx=service state, yy=lockstate) ex service-state.online_locked
To unlock a filesystem: move the file =switcher.move to the folder =unlock
To lock a filesystem: move the file =switcher.move to the folder =lock
Auto-Lock (todo)
is a Pro feature to automatically lock/unlock a filesystem based on a timetable