1. Managing ZFS File Systems in Oracle Solaris 11.4
  2. Managing Oracle Solaris ZFS File Systems
  3. Encrypting ZFS File Systems
  4. Examples of Encrypting ZFS File Systems

Examples of Encrypting ZFS File Systems

Example 7-7 Encrypting a ZFS File System by Using a Raw Key

In the following example, an aes-256-ccm encryption key is generated by using the pktool command and is written to a file, /kaydo.file. 

$ pktool genkey keystore=file outkey=/kaydokey.file keytype=aes keylen=256

Then, the /kaydokey.file is specified when the tank/home/kaydo file system is created. 

$ zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///kaydokey.file \
tank/home/kaydo

Example 7-8 Encrypting a ZFS File System With a Different Encryption Algorithm

You can create a ZFS storage pool and have all the file systems in the storage pool inherit an encryption algorithm. In this example, the users pool is created and the users/home file system is created and encrypted by using a passphrase. The default encryption algorithm is aes-128-ccm.

Then, the users/home/mork file system is created and encrypted by using the aes-256-ccm encryption algorithm. 

$ zpool create -O encryption=on users mirror c0t1d0 c1t1d0 mirror c2t1d0 c3t1d0
Enter passphrase for 'users': xxxxxxxx
Enter again: xxxxxxxx
$ zfs create users/home
$ zfs get encryption users/home
NAME        PROPERTY    VALUE        SOURCE
users/home  encryption  on           inherited from users
$ zfs create -o encryption=aes-256-ccm users/home/mork
$ zfs get encryption users/home/mork
NAME               PROPERTY    VALUE        SOURCE
users/home/mork    encryption  aes-256-ccm  local

Example 7-9 Cloning an Encrypted ZFS File System

If the clone file system inherits the keysource property from the same file system as its origin snapshot, then a new keysource is not necessary, and you are not prompted for a new passphrase if keysource=passphrase,prompt. The same keysource is used for the clone. For example:

By default, you are not prompted for a key when cloning a descendent of an encrypted file system.

$ zfs create -o encryption=on tank/ws
Enter passphrase for 'tank/ws': xxxxxxxx
Enter again: xxxxxxxx
$ zfs create tank/ws/fs1
$ zfs snapshot tank/ws/fs1@snap1
$ zfs clone tank/ws/fs1@snap1 tank/ws/fs1clone

If you want to create a new key for the clone file system, use the zfs clone -K command.

If you clone an encrypted file system rather than a descendent encrypted file system, you are prompted to provide a new key. For example:

$ zfs create -o encryption=on tank/ws
Enter passphrase for 'tank/ws': xxxxxxxx
Enter again: xxxxxxxx
$ zfs snapshot tank/ws@1
$ zfs clone tank/ws@1 tank/ws1clone
Enter passphrase for 'tank/ws1clone': xxxxxxxx
Enter again: xxxxxxxx

Example 7-10 Sending and Receiving an Encrypted ZFS File System

In the following example, the tank/home/megr@snap1 snapshot is created from the encrypted /tank/home/megr file system. Then, the snapshot is sent to bpool/snaps, with the encryption property enabled so the resulting received data is encrypted. However, the tank/home/megr@snap1 stream is not encrypted during the send process. 

$ zfs get encryption tank/home/megr
NAME              PROPERTY    VALUE        SOURCE
tank/home/megr  encryption  on           local
$ zfs snapshot tank/home/megr@snap1
$ zfs get encryption bpool/snaps
NAME         PROPERTY    VALUE        SOURCE
bpool/snaps  encryption  on           inherited from bpool
$ zfs send tank/home/megr@snap1 | zfs receive bpool/snaps/megr
$ zfs get encryption bpool/snaps/megr
NAME                    PROPERTY    VALUE        SOURCE
bpool/snaps/megr        encryption  on           inherited from bpool

In this case, a new key is automatically generated for the received encrypted file system.