Organizations requiring data-at-rest protection, can opt to further protect zone deployed applications and information using encrypted ZFS data sets. To ensure that each non-global zone is able to start without administrator intervention, the encrypted ZFS data sets are configured to access ZFS encryption keys that are stored locally within the individual database or application domain. Encrypted data sets are only supported with application zones on Oracle SuperCluster. Encrypted data sets with database zones require tool changes and is not supported.
A simple way to create the required key is to use commands similar to these:
# zfs createzfs_pool_name/zfskeystore $ chown root:root /zfs_pool_name/zfskeystore $ chmod 700 /zfs_pool_name/zfskeystore $ pktool genkey keystore=file keytype=aes keylen=256 \ outkey=/zfs_pool_name/zfskeystore/zone_name.key
# zfs create -o encryption=aes-256-ccm -o \ keysource=raw,file:///zfs_pool_name/zone_name.key \ zfs_pool_name/zone_name
This same approach can be used to encrypt the application data sets, using either the same (SuperCluster-specific) key or a unique key per data set depending upon site-specific requirements and policies. In this example, the application data set is created using the same key created in Step 3. Note that additional ZFS configuration parameters, such as compression, can also be defined during the creation of these additional data sets.
# zfs create -o compression=on -o encryption=aes-256-ccm -o \ keysource=raw,file:///zfs_pool_name/zfskeystore/zone_name.key zfs_pool_name/app