1. Managing ZFS File Systems in Oracle Solaris 11.4
  2. Working With Oracle Solaris ZFS Snapshots and Clones
  3. Saving, Sending, and Receiving ZFS Data
  4. Sending and Receiving Encrypted ZFS Data

Sending and Receiving Encrypted ZFS Data

By default, the zfs send command transfers encrypted data blocks by first decrypting the data on the source and then re-encrypting the data on the target. Note that the data blocks are re-encrypted only if encryption is enabled for the target.

The Oracle Solaris 11.4 SRU 57 release provides a way to avoid the decryption and re-encryption steps by using the zfs send -w crypto command. This command transfers encrypted data blocks in rawcrypto mode, which sends encrypted data blocks as-is from the source to the target.

Using the -w crypto option implicitly specifies the -p option. The -w crypto option is mutually exclusive with the -D option.

When you do not specify the -w option, the default value is -w compress. The default value for NDMP is -w none.

The rawcrypto mode also provides additional security by ensuring that the destruction of a single key on an external key management server (OKM or KMIP) is sufficient to make the encrypted data inaccessible.

A target can receive a rawcrypto stream successfully only if the keysource property value is identical on both the source and target systems. For example, if you use the file:/// method to specify the location, ensure that the file contents and its location are the same on the source and target systems.

Only a target that uses at least ZFS Pool Version 50 (Raw Crypto Replication) can receive a send stream that you create by using the zfs send -w crypto command.

When a target receives a snapshot by using rawcrypto mode, subsequent updates to the same target dataset that contains that snapshot must use rawcrypto mode, as well. Conversely, when the target does not use rawcrypto mode to receive a snapshot, subsequent updates to the same target dataset that contains that snapshot must not use rawcrypto mode either.

Note:

If you specify the -w crypto option to send an unencrypted snapshot, the zfs send command does not use rawcrypto mode.

The following example commands show how to transfer the tank/encrypted-fs@snap1 snapshot to the dst/fs1 dataset on the target1 system in rawcrypto mode: 

# zfs send -w crypto tank/encrypted-fs@snap1 | ssh target1 zfs recv -f dst/fs1

The following example commands show that the zfs send -w crypto command can send a snapshot that has more than one encryption key: 

# zfs key -K tank/encrypted-fs
# zfs snapshot tank/encrypted-fs@snap2
# zfs send -w crypto tank/encrypted-fs@snap2 | ssh target2 zfs recv -f dst/fs2