Originally Posted by
jmo
Flancer,
I wonder what you are trying to achieve? I am not aware of any "iSCSI way" of transferring the encryption key from the initiator to the target, so you'd have to store the secret on the target and make it automatically available to the target software. In that case, any client still can access the share, once properly set up - and even so if the DSS is stolen. So IMO you gain no security by encrypting under sole control of the target.
If you want to make sure that only a specific initiator (which possesses the proper secret) can access the data, you'll have either to create strong access control (ie the IPSec access mentioned above) or encrypt the file system on the block device (which means encryption on the initiator side). Unless, of course, there is an iSCSI mechanism for transferring the secret from initiator to target, which I haven't seen so far.
Regards,
Jens