Quote Originally Posted by jmo
Flancer,

I wonder what you are trying to achieve? I am not aware of any "iSCSI way" of transferring the encryption key from the initiator to the target, so you'd have to store the secret on the target and make it automatically available to the target software. In that case, any client still can access the share, once properly set up - and even so if the DSS is stolen. So IMO you gain no security by encrypting under sole control of the target.

If you want to make sure that only a specific initiator (which possesses the proper secret) can access the data, you'll have either to create strong access control (ie the IPSec access mentioned above) or encrypt the file system on the block device (which means encryption on the initiator side). Unless, of course, there is an iSCSI mechanism for transferring the secret from initiator to target, which I haven't seen so far.

Regards,
Jens
Thanks for answer, I understand your position, but can not agree. Software for encrypting is used wide on DAS storages, and I can not understand why it is impossible in iSCSI target.
Key feature is that iSCSI is the block device technology, so volume can be encrypted on target side on block level. I think it is not so difficult to implement one more logical layer in Linux file system for encrypting. I see no difference if I type password for mounting encrypted volume on local storage or on iSCSI target.

Thanks again for discussion.