In the following example, an aes-256-ccm encryption key is generated by using the pktool command and is written to a file, /cindykey.file.
# pktool genkey keystore=file outkey=/cindykey.file keytype=aes keylen=256
Then, the /cindykey.file is specified when the tank/home/cindy file system is created.
# zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///cindykey.file tank/home/cindyExample 5-2 Encrypting a ZFS File System With a Different Encryption Algorithm
You can create a ZFS storage pool and have all the file systems in the storage pool inherit an encryption algorithm. In this example, the users pool is created and the users/home file system is created and encrypted by using a passphrase. The default encryption algorithm is aes-128-ccm.
Then, the users/home/mark file system is created and encrypted by using the aes-256-ccm encryption algorithm.
# zpool create -O encryption=on users mirror c0t1d0 c1t1d0 mirror c2t1d0 c3t1d0 Enter passphrase for 'users': xxxxxxxx Enter again: xxxxxxxx # zfs create users/home # zfs get encryption users/home NAME PROPERTY VALUE SOURCE users/home encryption on inherited from users # zfs create -o encryption=aes-256-ccm users/home/mark # zfs get encryption users/home/mark NAME PROPERTY VALUE SOURCE users/home/mark encryption aes-256-ccm localExample 5-3 Cloning an Encrypted ZFS File System
If the clone file system inherits the keysource property from the same file system as its origin snapshot, then a new keysource is not necessary, and you are not prompted for a new passphrase if keysource=passphrase,prompt. The same keysource is used for the clone. For example:
By default, you are not prompted for a key when cloning a descendent of an encrypted file system.
# zfs create -o encryption=on tank/ws Enter passphrase for 'tank/ws': xxxxxxxx Enter again: xxxxxxxx # zfs create tank/ws/fs1 # zfs snapshot tank/ws/fs1@snap1 # zfs clone tank/ws/fs1@snap1 tank/ws/fs1clone
If you want to create a new key for the clone file system, use the zfs clone –K command.
If you clone an encrypted file system rather than a descendent encrypted file system, you are prompted to provide a new key. For example:
# zfs create -o encryption=on tank/ws Enter passphrase for 'tank/ws': xxxxxxxx Enter again: xxxxxxxx # zfs snapshot tank/ws@1 # zfs clone tank/ws@1 tank/ws1clone Enter passphrase for 'tank/ws1clone': xxxxxxxx Enter again: xxxxxxxxExample 5-4 Sending and Receiving an Encrypted ZFS File System
In the following example, the tank/home/darren@snap1 snapshot is created from the encrypted /tank/home/darren file system. Then, the snapshot is sent to bpool/snaps, with the encryption property enabled so the resulting received data is encrypted. However, the tank/home/darren@snap1 stream is not encrypted during the send process.
# zfs get encryption tank/home/darren NAME PROPERTY VALUE SOURCE tank/home/darren encryption on local # zfs snapshot tank/home/darren@snap1 # zfs get encryption bpool/snaps NAME PROPERTY VALUE SOURCE bpool/snaps encryption on inherited from bpool # zfs send tank/home/darren@snap1 | zfs receive bpool/snaps/darren1012 # zfs get encryption bpool/snaps/darren1012 NAME PROPERTY VALUE SOURCE bpool/snaps/darren1012 encryption on inherited from bpool
In this case, a new key is automatically generated for the received encrypted file system.