Transitioning From Oracle® Solaris 10 to Oracle Solaris 11.2

Exit Print View

Updated: December 2014
 
 

Encrypting ZFS File Systems

In previous Oracle Solaris releases and in this release, the Cryptographic Framework feature provides the encrypt, decrypt, and mac commands to encrypt files.

    Oracle Solaris 10 does not support ZFS encryption. However, Oracle Solaris 11 supports the following ZFS encryption features:

  • ZFS encryption is integrated with the ZFS command set. Like other ZFS operations, key change and rekey operations are performed online.

  • You can use your existing storage pools as long as they are upgraded. You have the flexibility of encrypting specific file systems.

  • ZFS encryption is inheritable to descendent file systems. Key management can be delegated through ZFS delegated administration.

  • Data is encrypted by using AES (Advanced Encryption Standard) with key lengths of 128,192, and 256 in the CCM and GCM operation modes.

  • ZFS encryption uses the Cryptographic Framework feature, which gives it access to any available hardware acceleration or optimized software implementations of the encryption algorithms automatically.


Note - Currently, you cannot encrypt a ZFS root file system or other OS components, such as the /var directory, even if it is a separate file system.
Example 9-4  Creating an Encrypted ZFS File System

The following example shows how to create an encrypted ZFS file system. The default encryption policy is to prompt for a passphrase, which must be a minimum of 8 characters in length.

# zfs create -o encryption=on tank/data
Enter passphrase for 'tank/data': xxxxxxxx
Enter again: xxxxxxxx

The default encryption algorithm is aes-128-ccm when a file system's encryption value is on.

After an encrypted file system is created, it cannot be unencrypted. For example:

# zfs set encryption=off tank/data
cannot set property for 'tank/data': 'encryption' is readonly

See Encrypting ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.2 .