Sending and Receiving Encrypted ZFS Data
By default, the zfs send
command transfers encrypted data blocks by first decrypting the data on the source and then re-encrypting the data on the target. Note that the data blocks are re-encrypted only if encryption is enabled for the target.
The Oracle Solaris 11.4 SRU 57 release provides a way to avoid the decryption and re-encryption steps by using the zfs send -w crypto
command. This command transfers encrypted data blocks in rawcrypto
mode, which sends encrypted data blocks as-is from the source to the target.
Using the -w crypto
option implicitly specifies the -p
option. The -w crypto
option is mutually exclusive with the -D
option.
When you do not specify the -w
option, the default value is -w compress
. The default value for NDMP is -w none
.
The rawcrypto
mode also provides additional security by ensuring that the destruction of a single key on an external key management server (OKM or KMIP) is sufficient to make the encrypted data inaccessible.
A target can receive a rawcrypto
stream successfully only if the keysource
property value is identical on both the source and target systems. For example, if you use the file:///
method to specify the location, ensure that the file contents and its location are the same on the source and target systems.
Only a target that uses at least ZFS Pool Version 50 (Raw Crypto Replication) can receive a send stream that you create by using the zfs send -w crypto
command.
When a target receives a snapshot by using rawcrypto
mode, subsequent updates to the same target dataset that contains that snapshot must use rawcrypto
mode, as well. Conversely, when the target does not use rawcrypto
mode to receive a snapshot, subsequent updates to the same target dataset that contains that snapshot must not use rawcrypto
mode either.
Note:
If you specify the-w crypto
option to send an unencrypted snapshot, the zfs send
command does not use rawcrypto
mode.
The following example commands show how to transfer the tank/encrypted-fs@snap1
snapshot to the dst/fs1
dataset on the target1
system in rawcrypto
mode:
# zfs send -w crypto tank/encrypted-fs@snap1 | ssh target1 zfs recv -f dst/fs1
The following example commands show that the zfs send -w crypto
command can send a snapshot that has more than one encryption key:
# zfs key -K tank/encrypted-fs # zfs snapshot tank/encrypted-fs@snap2 # zfs send -w crypto tank/encrypted-fs@snap2 | ssh target2 zfs recv -f dst/fs2