Disk Encryption for Solaris 9

Is there such a thing?

I know theres an encryption pack for Solaris 10. Would this do disk
encryption?

Basically, I need to build a few Jumpstart laptops which will be used
to build Solaris 9 systems. Trouble is the requirement is that they
must be encrypted.

Any suggestions?

I suppose I could run Solaris 10, along with encryption pack, on the
laptops but still build Solaris 9 using Jumpstart? Is that possible?

On 2008-03-12, <> wrote:
>
> I suppose I could run Solaris 10, along with encryption pack, on the
> laptops but still build Solaris 9 using Jumpstart? Is that possible?

Yes, you can have as many served OSs as you have disk space for.

I'm not aware of any whole-disk encryption products for Solaris though.
The Encryption 10 encryption kit doesn't do it as far as I can tell.

There was talk of having encryption support for zfs file systems and
support through lofi, both in OpenSolaris rather than Solaris 10. I'm
not sure how far these initiatives have got, but I guess that the kind
of customers you have who are mandating Solaris 10 will not be happy
with something as uncommercial as OpenSolaris.

I guess you could have a Windows or Linux system with encrypted file
system such as pointsec, safeboot or dm-crypt and run your jumpstart
server as a host under VMware, but it's rather messy to say the least.

--
------------------------------------------------------------------------
Pete Young Remove dot. to reply
"Just another crouton, floating on the bouillabaisse of life"

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

> Yes, you can have as many served OSs as you have disk space for.
>
> I'm not aware of any whole-disk encryption products for Solaris though.
> The Encryption 10 encryption kit doesn't do it as far as I can tell.

I'm surprised at that since theres a market for laptops with encrypted
disks...

>
> There was talk of having encryption support for zfs file systems and
> support through lofi, both in OpenSolaris rather than Solaris 10. I'm
> not sure how far these initiatives have got, but I guess that the kind
> of customers you have who are mandating Solaris 10 will not be happy
> with something as uncommercial as OpenSolaris.
>
> I guess you could have a Windows or Linux system with encrypted file
> system such as pointsec, safeboot or dm-crypt and run your jumpstart
> server as a host under VMware, but it's rather messy to say the least.

Although thinking about it - I dont suppose theres any reason why you
cant replace the disk in a laptop with a flagstone disk and install
Solaris on this?

From what I understand, a Flagstone disk is encrypted and asks the
user for a password before any OS gets involved at all....

Pete <> writes:
>On 2008-03-12, <> wrote:
>>
>> I suppose I could run Solaris 10, along with encryption pack, on the
>> laptops but still build Solaris 9 using Jumpstart? Is that possible?

>Yes, you can have as many served OSs as you have disk space for.

>I'm not aware of any whole-disk encryption products for Solaris though.
>The Encryption 10 encryption kit doesn't do it as far as I can tell.


The encryption kit offers bigger-key and some new crypto algorithms
for some of the built-in library crypto functions on Solaris. Doesn't
do anything else... Most people don't need it.

Best bet is to port TrueCrypt or something simular to Solaris. I don't
know of anything already done out there.
There is a ZFS Crypto project, but if anything, thats for Solaris Express,
not Solaris9..

In article
<ddda71c3-3c37-4fc4-8a3a->,
"" <> wrote:

> Is there such a thing?
>
> I know theres an encryption pack for Solaris 10. Would this do disk
> encryption?
>
> Basically, I need to build a few Jumpstart laptops which will be used
> to build Solaris 9 systems. Trouble is the requirement is that they
> must be encrypted.
>
> Any suggestions?
>
> I suppose I could run Solaris 10, along with encryption pack, on the
> laptops but still build Solaris 9 using Jumpstart? Is that possible?

I think Solaris is lagging behind this feature in that it's not offered
by Sun. Maybe it's available if you install a 3rd-party filesystem, but
you won't be able to boot from it unless you modify and install your own
boot code in ROM.

So, you'll have to revisit this requirement or install something else
that offers disk-level encryption.

Got code?

--
DeeDee, don't press that button! DeeDee! NO! Dee...

schrieb:
> Is there such a thing?
>
> I know theres an encryption pack for Solaris 10. Would this do disk
> encryption?
>
> Basically, I need to build a few Jumpstart laptops which will be used
> to build Solaris 9 systems. Trouble is the requirement is that they
> must be encrypted.
>
> Any suggestions?
>
> I suppose I could run Solaris 10, along with encryption pack, on the
> laptops but still build Solaris 9 using Jumpstart? Is that possible?
>

why do you have to encrypt stuff everybody can download by themselve?

If the only reason are the templates or configs: write a routine which
runs a boot to decrypt to a tmpfs the files you need and update the
archive somewhere. or easier (i asume the reason for laptop is
dhcp/bootp without dhcp-helpers and routing) download it with wget or
curl from a central repository (over ssl with client certs of course:-)
just in time.

jet or humpstart runs fine on Solaris 10, but still not in zones, due to
the nfs server, which require global zone for kernel modules.

So have a look at opensolaris for the zfs crypto project, but it seems
to not very agile.
JET has also some scripts which are not working with zfs (i make a step
between and copy to zfs by hand), the time i tried it last.

Wolfgang

On Mar 12, 7:39*pm, Wolfgang <wtra...@AT.web.de> wrote:
> BertieBigBol...@gmail.com schrieb:
>
> > Is there such a thing?
>
> > I know theres an encryption pack for Solaris 10. Would this do disk
> > encryption?
>
> > Basically, I need to build a few Jumpstart laptops which will be used
> > to build Solaris 9 systems. Trouble is the requirement is that they
> > must be encrypted.
>
> > Any suggestions?
>
> > I suppose I could run Solaris 10, along with encryption pack, on the
> > laptops but still build Solaris 9 using Jumpstart? Is that possible?
>
> why do you have to encrypt stuff everybody can download by themselve?
>
Its not the Solaris OS that needs to encrypted. Its the other stuff
including the contents of the Flash archive (containing other stuff)
used to jumpstart the systems being built thats the problem...

On 2008-03-12, Wolfgang <> wrote:
> schrieb:
>
> why do you have to encrypt stuff everybody can download by themselve?

I would guess that it's policy rather than a technical reason.

The large number of laptop thefts and losses, along with lots of
sensitive data in some cases, means that many organisations now mandate
whole-disk encryption of any laptop that may be carrying sensitive
material, the view amongst the security community being that file-system
level encryption is insufficient protection. Bertie might get an
exception for a jumpstart server to do a vanilla system build, but if
there's any sensitive data included in the build then he's not going to
be able to get around the requirement.

So there's clearly a market for whole-disk encryption on laptops, but
whether there is a market for Solaris on laptops which is big enough to
justify the effort of a whole-disk encryption product, is another
question altogether.

--
------------------------------------------------------------------------
Pete Young Remove dot. to reply
"Just another crouton, floating on the bouillabaisse of life"

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

On 2008-03-12, <> wrote:
>
> I'm surprised at that since theres a market for laptops with encrypted
> disks...

Unfortunately, there's no market for laptops running Solaris.

> Although thinking about it - I dont suppose theres any reason why you
> cant replace the disk in a laptop with a flagstone disk and install
> Solaris on this?
>
> From what I understand, a Flagstone disk is encrypted and asks the
> user for a password before any OS gets involved at all....

Seems reasonable. I'm not familiar with Flagstone, but it does claim
that you can run any OS and it if CESG have accredited it then it should
be OK.

--
------------------------------------------------------------------------
Pete Young Remove dot. to reply
"Just another crouton, floating on the bouillabaisse of life"

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

On 2008-03-14, Pete <> wrote:
> On 2008-03-12, <> wrote:
>>
>> I'm surprised at that since theres a market for laptops with encrypted
>> disks...
>
> Unfortunately, there's no market for laptops running Solaris.

Well, there is, but it's rather small. [FX: waves]

Not statistically significant, but in 15 years commuting into the City of London
and OS spotting on the train, I've only ever seen 2 people not running Windows
or MacOS on their laptops. One was running Centos and the other an unidentified
Linux. I have to manage with Cygwin.


--
"Be thankful that you have a life, and forsake your vain
and presumptuous desire for a second one."
[email me at huge {at} huge (dot) org <dot> uk]