1. Creating and Using Oracle Solaris Kernel Zones
  2. Administering Oracle Solaris Kernel Zones
  3. Kernel Zone Host Data and Host ID
  4. Encryption Keys and Host Data

Encryption Keys and Host Data

Kernel zone host data is encrypted and authenticated with the advanced encryption standard AES-128-CCM, using the same encryption key used for the kernel zone suspend image. If a zone's encryption key is not accessible, the host data and any suspend image will not be readable. In such circumstances, any attempt to ready or boot the zone will cause the zone to enter the unavailable state. If recovery of the zone's encryption key is not possible, generate a new encryption key and host data by running the following command: 

$ pfbash zoneadm -z kernel-zone attach -x initialize-hostdata

To boot, a kernel zone must have the correct keysource defined. A migration with zoneadm migrate copies the keysource data from the source host along with the zone configuration if a configuration is not already defined on the target host.

If you want to create the zone configuration and keysource on the target host before migration, use the zonecfg export command on the source host to export the information to a file that you can use to create the configuration on the target host with the correct keys. For example, to create the configuration for a zone you will migrate from global1 to global2 export the configuration on global1 to a file on a network path and create the configuration on global2 from that file: 

global1$ zonecfg -z kzone1 export -f /net/example/path/kzone1.cfg
global2$ zonecfg -z kzone1 -f /net/example/path/kzone1.cfg

If the zone's keys for an existing configuration on a target host are not correct, when you try to attach or boot the zone you see the following message: 

zone 'kzone1': error: Encryption key is incorrect.  See solaris-kz(7) for configuration migration
zone 'kzone1': procedure or update /etc/zones/keys/kzone1.

Keys might be incorrect, for example, if the zone was reinstalled or if the zone was attached with -x initialize-hostdata, which reinitializes the keys.

You can fix the problem by deleting the zone configuration on the target host and exporting the configuration again, or by migrating the zone to the target host without creating the configuration first.