You can use OKM with Oracle Solaris 11 ZFS to manage encryption and decryption of files in ZFS storage pools. This allows you to manage encryption keys for ZFS storage pools using the same encryption technology used in Oracle StorageTek tape drives.
This section assumes familiarity with Solaris 11 and Oracle Solaris ZFS.
Refer to the Oracle Solaris 11 publications for more information about Oracle Solaris 11.
Refer to the publication Oracle Solaris Administration: ZFS File Systems for more information about Oracle Solaris ZFS.
ZFS can be configured to use the OKM PKCS#11 provider, pkcs11_kms, to retrieve encryption keys from an OKM cluster. This requires a configured OKM cluster and a Solaris 11 system with established connectivity to KMAs in this OKM cluster.
Once a Solaris 11 administrator installs and configures pkcs11_kms, the administrator can request that pkcs11_kms create a key, and then direct ZFS to use it.
pkcs11_kms is introduced in Appendix B. For more information, see the following:
See the following sections for considerations that may apply as you plan for this integration:
The following tasks are required to integrate OKM with ZFS:
Note:
Much of the information for these tasks also applies in OKM configurations using Transparent Data Encryption (TDE). Where appropriate, the following sections include references to additional information described in Appendix B.Ensure that all KMAs in the OKM cluster are running OKM 2.4.1 or later and that the OKM cluster uses Replication Schema version 13.
Supported OKM management platforms for the GUI and CLI are documented in the OKM product release notes, which include specific considerations for Oracle Solaris and Microsoft Windows platforms.
Create a key policy and key group, configure an agent, and associate that agent with the key group as its default key group. For more information, see "Configure the OKM Cluster for TDE".
Note:
The agent should be configured to disable the One Time Passphrase property. See "Create an Agent" or "Modify an Agent".To install Oracle's PKCS#11 provider, pkcs11_kms, on the Solaris 11 system, perform the steps described in "Install pkcs11_kms".
To configure pkcs11_kms on the Solaris 11 system, perform Steps 2 and 3, as described in "Configure kcs11_kms".
Note:
Disregard references to Oracle RAC, as they do not apply in an OKM/ZFS integration.Once the pkcs11_kms provider is installed and configured, perform the following steps to generate a key in the pkcs11_kms provider and configure ZFS to use this key when encrypting files in file systems contained in a particular ZFS pool.
Use the Solaris pktool genkey command to create an AES 256-bit key.
At the "Enter PIN for KMS" prompts, enter the passphrase of the agent that was provided to the kmscfg utility when you configured pkcs11_kms.
For example:
# pktool list token=KMS objtype=key Enter PIN for KMS: # pktool genkey keystore=pkcs11 token=KMS keytype=aes keylen=256 label=zfscrypto_key_256 Enter PIN for KMS: # pktool list token=KMS objtype=key label=zfscrypto_key_256 Enter PIN for KMS:
Use the zfs create command to configure ZFS to use this key.
In the "keysource" argument of the zfs create command, specify the label of key that you generated in Step 1.
At the "Enter 'KMS' PKCS#11 token PIN" prompts, enter the passphrase of the agent.
For example:
# zfs create -o encryption=aes-256-ccm -o keysource="raw,pkcs11:token=KMS;object=zfscrypto_key_256" cpool_nd/cfs Enter 'KMS' PKCS#11 token PIN for 'cpool_nd/cfs':
See "Troubleshooting When Using pkcs11_kms" for troubleshooting information.