1. Installing and Configuring an Oracle Solaris Cluster 4.4 Environment
  2. Creating a Cluster File System
  3. Creating Cluster File Systems
  4. Creating ZFS Cluster File Systems
  5. Configuring Encryption for a Globally Mounted ZFS File System
  6. How to Create an Encrypted ZFS Cluster File System on a New Zpool

How to Create an Encrypted ZFS Cluster File System on a New Zpool

  1. Create an encryption key.

    Use the cldevicegroup key-create command to create an encryption key and specify its name. 

    phys-schost# cldevicegroup key-create -k keyname
  2. Create an encrypted zpool.

    Use the zpool command to create an encrypted zpool by specifying the encryption and keysource property values, the name of the zpool, and the name of the virtual disk device. The key name portion of the keysource property value specifies the encryption key that you created in the previous step. 

    phys-schost# zpool create -O encryption=on -O keysource=hex,cluster:keyname zpoolname virtual-disk-device
  3. Place the encrypted zpool in a global cluster device group.

    Use the cldevicegroup create command to add the encrypted zpool to a global cluster device group by specifying poolaccess=global and import-at-boot=true properties, the names of one or more cluster nodes, the zpool device type, and the name of the zpool. 

    phys-schost# cldevicegroup create -p poolaccess=global -p import-at-boot=true \
-n node1,node2 -t zpool zpoolname
  4. Bring the cluster device group online.

    Use the cldevicegroup online command to activate the specified cluster device group. 

    phys-schost# cldevicegroup online zpoolname

Example 5-2 Creating an Encrypted Cluster File System on a New Zpool

This example shows how to create an encrypted cluster file system in a new zpool.

The first command creates a new encryption key called gpool-key: 

phys-schost# cldevicegroup key-create -k gpool-key

The following command creates an encrypted zpool called gpool on the c1t0d1 device. The command also specifies gpool-key as the keyname value of keysource property: 

phys-schost# zpool create -O encryption=on -O keysource=hex,cluster:gpool-key gpool c1t0d1

The following command creates a device group for the gpool zpool that has the following characteristics:

  • Specifies that the zpool has global access

  • Imports the device group at boot time

  • Specifies that the node1 and node2 nodes, in that order, are available to take over as the primary node for the device group

  • Identifies the device type as zpool

phys-schost# cldevicegroup create -p poolaccess=global -p import-at-boot=true \
-n node1,node2 -t zpool gpool

The final command imports the zpool on the preferred node and then mounts the encrypted cluster file system on both the node1 and node2 nodes: 

phys-schost# cldevicegroup online gpool