The previous task,Create Encrypted ZFS Data Sets, uses a locally defined (raw) key file that must be stored directly on a file system. Another key storage technique leverages a passphrase protected PKCS#11 keystore, called the Sun Software PKCS#11 Softtoken. To use this method, perform this task.
The PKCS#11 key store must be manually unlocked prior to the key being made available to ZFS. Ultimately, this means that manual administrative intervention is required to mount the encrypted ZFS data set (and start the non-global zone if the zone is also using an encrypted ZFS data set). For more information on other key storage strategies, refer to the Oracle Solaris zfs_encrypt(1M) man page.
The default PIN associated with a new PKCS#11 keystore is changeme. Use this passphrase at the first prompt in this example.
# pktool setpin keystore=pkcs11 Enter token passphrase: Create new passphrase: Re-enter new passphrase:
The key material used by the PKCS#11 Softtoken is stored by default in the /var/user/ ${USERNAME}/pkcs11_softtoken directory. The ${SOFTTOKEN} environment variable can be defined to store the key material in a different location. You can use this capability to enable SuperCluster-specific storage for this passphase protected key material.
# export SOFTTOKEN=/<zfs_pool_name>/zfskeystore # pktool setpin keystore=pkcs11 Enter token passphrase: Create new passphrase: Re-enter new passphrase:
# pktool genkey keystore=pkcs11 keytype=aes keylen=256 label=zone_name_rpool Enter PIN for Sun Software PKCS#11 softtoken:
# zfs create -o encryption=aes-256-ccm -o keysource=raw,pkcs11:object=<zone_name>_rpool zfs_pool_name/zone_name Enter PKCS#11 token PIN for 'zfs_pool_name/zone_name’: