Examples of Encrypting ZFS File Systems
Example 7-7 Encrypting a ZFS File System by Using a Raw Key
In the following example, an aes-256-ccm
encryption key is
generated by using the pktool
command and is written to a
file, /kaydo.file
.
$ pktool genkey keystore=file outkey=/kaydokey.file keytype=aes keylen=256
Then, the /kaydokey.file
is specified when the
tank/home/kaydo
file system is created.
$ zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///kaydokey.file \ tank/home/kaydo
Example 7-8 Encrypting a ZFS File System With a Different Encryption Algorithm
You can create a ZFS storage pool and have all the file systems in the storage pool inherit an encryption algorithm. In this example, the users
pool is created and the users/home
file system is created and encrypted by using a passphrase. The default encryption algorithm is aes-128-ccm
.
Then, the users/home/mork
file system is created and
encrypted by using the aes-256-ccm
encryption
algorithm.
$ zpool create -O encryption=on users mirror c0t1d0 c1t1d0 mirror c2t1d0 c3t1d0 Enter passphrase for 'users': xxxxxxxx Enter again: xxxxxxxx $ zfs create users/home $ zfs get encryption users/home NAME PROPERTY VALUE SOURCE users/home encryption on inherited from users $ zfs create -o encryption=aes-256-ccm users/home/mork $ zfs get encryption users/home/mork NAME PROPERTY VALUE SOURCE users/home/mork encryption aes-256-ccm local
Example 7-9 Cloning an Encrypted ZFS File System
If the clone file system inherits the keysource
property from the same file system as its origin snapshot, then a new keysource
is not necessary, and you are not prompted for a new passphrase if keysource=passphrase,prompt
. The same keysource
is used for the clone. For example:
By default, you are not prompted for a key when cloning a descendent of an encrypted file system.
$ zfs create -o encryption=on tank/ws Enter passphrase for 'tank/ws': xxxxxxxx Enter again: xxxxxxxx $ zfs create tank/ws/fs1 $ zfs snapshot tank/ws/fs1@snap1 $ zfs clone tank/ws/fs1@snap1 tank/ws/fs1clone
If you want to create a new key for the clone file system, use the zfs clone -K
command.
If you clone an encrypted file system rather than a descendent encrypted file system, you are prompted to provide a new key. For example:
$ zfs create -o encryption=on tank/ws Enter passphrase for 'tank/ws': xxxxxxxx Enter again: xxxxxxxx $ zfs snapshot tank/ws@1 $ zfs clone tank/ws@1 tank/ws1clone Enter passphrase for 'tank/ws1clone': xxxxxxxx Enter again: xxxxxxxx
Example 7-10 Sending and Receiving an Encrypted ZFS File System
In the following example, the tank/home/megr@snap1
snapshot is created from the encrypted /tank/home/megr
file system. Then, the snapshot is sent to bpool/snaps
, with the encryption property enabled so the resulting received data is encrypted. However, the tank/home/megr@snap1
stream is not encrypted during the send process.
$ zfs get encryption tank/home/megr NAME PROPERTY VALUE SOURCE tank/home/megr encryption on local $ zfs snapshot tank/home/megr@snap1 $ zfs get encryption bpool/snaps NAME PROPERTY VALUE SOURCE bpool/snaps encryption on inherited from bpool $ zfs send tank/home/megr@snap1 | zfs receive bpool/snaps/megr $ zfs get encryption bpool/snaps/megr NAME PROPERTY VALUE SOURCE bpool/snaps/megr encryption on inherited from bpool
In this case, a new key is automatically generated for the received encrypted file system.