1. This forum section is a read-only archive which contains old newsgroup posts. If you wish to post a query, please do so in one of our main forum sections (here). This way you will get a faster, better response from the members on Motherboard Point.

Disk Encryption for Solaris 9

Discussion in 'Sun Hardware' started by BertieBigBollox@gmail.com, Mar 12, 2008.

  1. Guest

    Is there such a thing?

    I know theres an encryption pack for Solaris 10. Would this do disk
    encryption?

    Basically, I need to build a few Jumpstart laptops which will be used
    to build Solaris 9 systems. Trouble is the requirement is that they
    must be encrypted.

    Any suggestions?

    I suppose I could run Solaris 10, along with encryption pack, on the
    laptops but still build Solaris 9 using Jumpstart? Is that possible?
     
    , Mar 12, 2008
    #1
    1. Advertising

  2. Pete Guest

    On 2008-03-12, <> wrote:
    >
    > I suppose I could run Solaris 10, along with encryption pack, on the
    > laptops but still build Solaris 9 using Jumpstart? Is that possible?


    Yes, you can have as many served OSs as you have disk space for.

    I'm not aware of any whole-disk encryption products for Solaris though.
    The Encryption 10 encryption kit doesn't do it as far as I can tell.

    There was talk of having encryption support for zfs file systems and
    support through lofi, both in OpenSolaris rather than Solaris 10. I'm
    not sure how far these initiatives have got, but I guess that the kind
    of customers you have who are mandating Solaris 10 will not be happy
    with something as uncommercial as OpenSolaris.

    I guess you could have a Windows or Linux system with encrypted file
    system such as pointsec, safeboot or dm-crypt and run your jumpstart
    server as a host under VMware, but it's rather messy to say the least.

    --
    ------------------------------------------------------------------------
    Pete Young Remove dot. to reply
    "Just another crouton, floating on the bouillabaisse of life"

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
     
    Pete, Mar 12, 2008
    #2
    1. Advertising

  3. Guest

    > Yes, you can have as many served OSs as you have disk space for.
    >
    > I'm not aware of any whole-disk encryption products for Solaris though.
    > The Encryption 10 encryption kit doesn't do it as far as I can tell.


    I'm surprised at that since theres a market for laptops with encrypted
    disks...

    >
    > There was talk of having encryption support for zfs file systems and
    > support through lofi, both in OpenSolaris rather than Solaris 10. I'm
    > not sure how far these initiatives have got, but I guess that the kind
    > of customers you have who are mandating Solaris 10 will not be happy
    > with something as uncommercial as OpenSolaris.
    >
    > I guess you could have a Windows or Linux system with encrypted file
    > system such as pointsec, safeboot or dm-crypt and run your jumpstart
    > server as a host under VMware, but it's rather messy to say the least.


    Although thinking about it - I dont suppose theres any reason why you
    cant replace the disk in a laptop with a flagstone disk and install
    Solaris on this?

    From what I understand, a Flagstone disk is encrypted and asks the
    user for a password before any OS gets involved at all....
     
    , Mar 12, 2008
    #3
  4. Pete <2net.com> writes:
    >On 2008-03-12, <> wrote:
    >>
    >> I suppose I could run Solaris 10, along with encryption pack, on the
    >> laptops but still build Solaris 9 using Jumpstart? Is that possible?


    >Yes, you can have as many served OSs as you have disk space for.


    >I'm not aware of any whole-disk encryption products for Solaris though.
    >The Encryption 10 encryption kit doesn't do it as far as I can tell.



    The encryption kit offers bigger-key and some new crypto algorithms
    for some of the built-in library crypto functions on Solaris. Doesn't
    do anything else... Most people don't need it.

    Best bet is to port TrueCrypt or something simular to Solaris. I don't
    know of anything already done out there.
    There is a ZFS Crypto project, but if anything, thats for Solaris Express,
    not Solaris9..
     
    Doug McIntyre, Mar 12, 2008
    #4
  5. In article
    <>,
    "" <> wrote:

    > Is there such a thing?
    >
    > I know theres an encryption pack for Solaris 10. Would this do disk
    > encryption?
    >
    > Basically, I need to build a few Jumpstart laptops which will be used
    > to build Solaris 9 systems. Trouble is the requirement is that they
    > must be encrypted.
    >
    > Any suggestions?
    >
    > I suppose I could run Solaris 10, along with encryption pack, on the
    > laptops but still build Solaris 9 using Jumpstart? Is that possible?


    I think Solaris is lagging behind this feature in that it's not offered
    by Sun. Maybe it's available if you install a 3rd-party filesystem, but
    you won't be able to boot from it unless you modify and install your own
    boot code in ROM.

    So, you'll have to revisit this requirement or install something else
    that offers disk-level encryption.

    Got code?

    --
    DeeDee, don't press that button! DeeDee! NO! Dee...
     
    Michael Vilain, Mar 12, 2008
    #5
  6. Wolfgang Guest

    schrieb:
    > Is there such a thing?
    >
    > I know theres an encryption pack for Solaris 10. Would this do disk
    > encryption?
    >
    > Basically, I need to build a few Jumpstart laptops which will be used
    > to build Solaris 9 systems. Trouble is the requirement is that they
    > must be encrypted.
    >
    > Any suggestions?
    >
    > I suppose I could run Solaris 10, along with encryption pack, on the
    > laptops but still build Solaris 9 using Jumpstart? Is that possible?
    >


    why do you have to encrypt stuff everybody can download by themselve?

    If the only reason are the templates or configs: write a routine which
    runs a boot to decrypt to a tmpfs the files you need and update the
    archive somewhere. or easier (i asume the reason for laptop is
    dhcp/bootp without dhcp-helpers and routing) download it with wget or
    curl from a central repository (over ssl with client certs of course:)
    just in time.

    jet or humpstart runs fine on Solaris 10, but still not in zones, due to
    the nfs server, which require global zone for kernel modules.

    So have a look at opensolaris for the zfs crypto project, but it seems
    to not very agile.
    JET has also some scripts which are not working with zfs (i make a step
    between and copy to zfs by hand), the time i tried it last.

    Wolfgang
     
    Wolfgang, Mar 12, 2008
    #6
  7. Guest

    On Mar 12, 7:39 pm, Wolfgang <> wrote:
    > schrieb:
    >
    > > Is there such a thing?

    >
    > > I know theres an encryption pack for Solaris 10. Would this do disk
    > > encryption?

    >
    > > Basically, I need to build a few Jumpstart laptops which will be used
    > > to build Solaris 9 systems. Trouble is the requirement is that they
    > > must be encrypted.

    >
    > > Any suggestions?

    >
    > > I suppose I could run Solaris 10, along with encryption pack, on the
    > > laptops but still build Solaris 9 using Jumpstart? Is that possible?

    >
    > why do you have to encrypt stuff everybody can download by themselve?
    >

    Its not the Solaris OS that needs to encrypted. Its the other stuff
    including the contents of the Flash archive (containing other stuff)
    used to jumpstart the systems being built thats the problem...
     
    , Mar 13, 2008
    #7
  8. Pete Guest

    On 2008-03-12, Wolfgang <> wrote:
    > schrieb:
    >
    > why do you have to encrypt stuff everybody can download by themselve?


    I would guess that it's policy rather than a technical reason.

    The large number of laptop thefts and losses, along with lots of
    sensitive data in some cases, means that many organisations now mandate
    whole-disk encryption of any laptop that may be carrying sensitive
    material, the view amongst the security community being that file-system
    level encryption is insufficient protection. Bertie might get an
    exception for a jumpstart server to do a vanilla system build, but if
    there's any sensitive data included in the build then he's not going to
    be able to get around the requirement.

    So there's clearly a market for whole-disk encryption on laptops, but
    whether there is a market for Solaris on laptops which is big enough to
    justify the effort of a whole-disk encryption product, is another
    question altogether.

    --
    ------------------------------------------------------------------------
    Pete Young Remove dot. to reply
    "Just another crouton, floating on the bouillabaisse of life"

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
     
    Pete, Mar 14, 2008
    #8
  9. Pete Guest

    On 2008-03-12, <> wrote:
    >
    > I'm surprised at that since theres a market for laptops with encrypted
    > disks...


    Unfortunately, there's no market for laptops running Solaris.

    > Although thinking about it - I dont suppose theres any reason why you
    > cant replace the disk in a laptop with a flagstone disk and install
    > Solaris on this?
    >
    > From what I understand, a Flagstone disk is encrypted and asks the
    > user for a password before any OS gets involved at all....


    Seems reasonable. I'm not familiar with Flagstone, but it does claim
    that you can run any OS and it if CESG have accredited it then it should
    be OK.

    --
    ------------------------------------------------------------------------
    Pete Young Remove dot. to reply
    "Just another crouton, floating on the bouillabaisse of life"

    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
     
    Pete, Mar 14, 2008
    #9
  10. Huge Guest

    On 2008-03-14, Pete <> wrote:
    > On 2008-03-12, <> wrote:
    >>
    >> I'm surprised at that since theres a market for laptops with encrypted
    >> disks...

    >
    > Unfortunately, there's no market for laptops running Solaris.


    Well, there is, but it's rather small. [FX: waves]

    Not statistically significant, but in 15 years commuting into the City of London
    and OS spotting on the train, I've only ever seen 2 people not running Windows
    or MacOS on their laptops. One was running Centos and the other an unidentified
    Linux. I have to manage with Cygwin.


    --
    "Be thankful that you have a life, and forsake your vain
    and presumptuous desire for a second one."
    [email me at huge {at} huge (dot) org <dot> uk]
     
    Huge, Mar 15, 2008
    #10
  11. Dave Guest

    Pete wrote:
    > On 2008-03-12, <> wrote:
    >> I'm surprised at that since theres a market for laptops with encrypted
    >> disks...

    >
    > Unfortunately, there's no market for laptops running Solaris.


    My laptop runs Solaris x86, and disk encryption was something I asked
    about a few weeks ago, as I have exactly the same issue, but in my case
    Solaris 10.
     
    Dave, Mar 16, 2008
    #11
  12. Dave Guest

    Huge wrote:
    > On 2008-03-14, Pete <> wrote:
    >> On 2008-03-12, <> wrote:
    >>> I'm surprised at that since theres a market for laptops with encrypted
    >>> disks...

    >> Unfortunately, there's no market for laptops running Solaris.

    >
    > Well, there is, but it's rather small. [FX: waves]
    >
    > Not statistically significant, but in 15 years commuting into the City of London
    > and OS spotting on the train, I've only ever seen 2 people not running Windows


    So I assume you are not on the Southminster to Liverpool St line, as I
    know of a few that run other operating systems.
     
    Dave, Mar 16, 2008
    #12
  13. Guest

    Dave <> wrote:
    > Pete wrote:
    >> On 2008-03-12, <> wrote:
    >>> I'm surprised at that since theres a market for laptops with encrypted
    >>> disks...

    >>
    >> Unfortunately, there's no market for laptops running Solaris.

    >
    > My laptop runs Solaris x86, and disk encryption was something I asked
    > about a few weeks ago, as I have exactly the same issue, but in my case
    > Solaris 10.


    An immediate solution would be to use a laptop that has a "hardware"
    encrypted disk such as described here
    http://otoh.org/xwiki/bin/view/Paul/SolarisOnT61

    --
    Robert A Heinlein: Theology is never any help; it is searching in a dark
    cellar at midnight for a black cat that isn't there.
     
    , Mar 16, 2008
    #13
  14. Huge Guest

    On 2008-03-16, Dave <> wrote:
    > Huge wrote:
    >> On 2008-03-14, Pete <> wrote:
    >>> On 2008-03-12, <> wrote:
    >>>> I'm surprised at that since theres a market for laptops with encrypted
    >>>> disks...
    >>> Unfortunately, there's no market for laptops running Solaris.

    >>
    >> Well, there is, but it's rather small. [FX: waves]
    >>
    >> Not statistically significant, but in 15 years commuting into the City of London
    >> and OS spotting on the train, I've only ever seen 2 people not running Windows

    >
    > So I assume you are not on the Southminster to Liverpool St line,


    Thameslink from Bedford to Moorgate.


    --
    "Be thankful that you have a life, and forsake your vain
    and presumptuous desire for a second one."
    [email me at huge {at} huge (dot) org <dot> uk]
     
    Huge, Mar 17, 2008
    #14
  15. Guest

    On Mar 16, 2:49 pm, wrote:
    > Dave <> wrote:
    > > Pete wrote:
    > >> On 2008-03-12, <> wrote:
    > >>> I'm surprised at that since theres a market for laptops with encrypted
    > >>> disks...

    >
    > >> Unfortunately, there's no market for laptops running Solaris.

    >
    > > My laptop runs Solaris x86, and disk encryption was something I asked
    > > about a few weeks ago, as I have exactly the same issue, but in my case
    > > Solaris 10.

    >
    > An immediate solution would be to use a laptop that has a "hardware"
    > encrypted disk such as described here
    >        http://otoh.org/xwiki/bin/view/Paul/SolarisOnT61
    >
    > --
    > Robert A Heinlein: Theology is never any help; it is searching in a dark
    >                    cellar at midnight for a black cat that isn't there.


    Yes. Which sounds similar to a flagstone disk.
     
    , Mar 17, 2008
    #15
  16. Guest

    > I would guess that it's policy rather than a technical reason.
    >
    > The large number of laptop thefts and losses, along with lots of
    > sensitive data in some cases, means that many organisations now mandate
    > whole-disk encryption of any laptop that may be carrying sensitive
    > material, the view amongst the security community being that file-system
    > level encryption is insufficient protection. Bertie might get an
    > exception for a jumpstart server to do a vanilla system build, but if
    > there's any sensitive data included in the build then he's not going to
    > be able to get around the requirement.
    >
    > So there's clearly a market for whole-disk encryption on laptops, but
    > whether there is a market for Solaris on laptops which is big enough to
    > justify the effort of a whole-disk encryption product, is another
    > question altogether.
    >


    Well, yes, since the jumpstart laptop is used to rebuild a live system
    then it would possibly contain restricted information.

    And, yes, you are quite right. I can't go into details of its use, but
    suffice to say that the servers being rebuilt or built using these
    jumpstart laptops need to be secured in this way.
     
    , Mar 17, 2008
    #16
  17. Dave Guest

    wrote:

    >> My laptop runs Solaris x86, and disk encryption was something I asked
    >> about a few weeks ago, as I have exactly the same issue, but in my case
    >> Solaris 10.

    >
    > An immediate solution would be to use a laptop that has a "hardware"
    > encrypted disk such as described here
    > http://otoh.org/xwiki/bin/view/Paul/SolarisOnT61


    That links tells me very little only that he has a hardware encrypted
    disk with a TPM. Nothing about the type of disk etc.

    I have a Trusted Platform Module (TPM) fingerprint reader on my laptop
    (Sony Vaio VGN-SZ4XWN/C), but as far as I know, there is no way to use
    that on Solaris. Hence I am not using the fingerprint reader.

    The laptop runs Vista ultimate and that with the TPM device supports
    hard disk encryption. But whilst I "upgraded" from Vista Business
    (supplied on laptop, but not supporting disk encryption with TPM) to
    Vista ultimate (which does), I never actually set this up. I tend to not
    trust much from M$, which is why I never bothered.

    As far as I know, Vista Ultimate allows part of the disk to be
    unencrypted (which one boots from), but the rest, including the swap
    file are encrypted.
     
    Dave, Mar 24, 2008
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. news.rcn.com

    hex wep encryption

    news.rcn.com, Dec 16, 2005, in forum: Dell
    Replies:
    12
    Views:
    822
    Bill Sanderson
    Jan 10, 2006
  2. R. P.

    Hard disk encryption

    R. P., Jan 25, 2008, in forum: Laptops
    Replies:
    10
    Views:
    435
    M.I.5¾
    Jan 29, 2008
  3. High Priest
    Replies:
    101
    Views:
    1,340
    Lewis
    Feb 1, 2011
  4. Replies:
    0
    Views:
    440
  5. Brian Jester
    Replies:
    0
    Views:
    557
    Brian Jester
    Feb 28, 2012
Loading...

Share This Page