In previous Oracle Solaris releases and in this release, the Cryptographic Framework feature provides the encrypt, decrypt, and mac commands to encrypt files.
Oracle Solaris 10 does not support ZFS encryption. However, Oracle Solaris 11 supports the following ZFS encryption features:
ZFS encryption is integrated with the ZFS command set. Like other ZFS operations, key change and rekey operations are performed online.
You can use your existing storage pools as long as they are upgraded. You have the flexibility of encrypting specific file systems.
ZFS encryption is inheritable to descendent file systems. Key management can be delegated through ZFS delegated administration.
Data is encrypted by using AES (Advanced Encryption Standard) with key lengths of 128,192, and 256 in the CCM and GCM operation modes.
ZFS encryption uses the Cryptographic Framework feature, which gives it access to any available hardware acceleration or optimized software implementations of the encryption algorithms automatically.
The following example shows how to create an encrypted ZFS file system. The default encryption policy is to prompt for a passphrase, which must be a minimum of 8 characters in length.
# zfs create -o encryption=on tank/data Enter passphrase for 'tank/data': xxxxxxxx Enter again: xxxxxxxx
The default encryption algorithm is aes-128-ccm when a file system's encryption value is on.
After an encrypted file system is created, it cannot be unencrypted. For example:
# zfs set encryption=off tank/data cannot set property for 'tank/data': 'encryption' is readonly
See Encrypting ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.2 .