Integrate OKM and ZFS

Use these procedures for integrating OKM with ZFS.

• Configure the OKM Cluster for ZFS
• Install pkcs11_kms on Solaris 11
• Configure pkcs11_kms on Solaris 11
• Configure ZFS to use pkcs11_kms

Note:

Much of the information for these tasks also applies in OKM configurations using Transparent Data Encryption (TDE). Where appropriate, the following sections include references to additional information described in the TDE section.

Configure the OKM Cluster for ZFS

Use the procedures provided for configuring a standard OKM cluster to configure the cluster for ZFS.

1. Ensure that all KMAs in the OKM cluster are running OKM 2.4.1 or later and that the OKM cluster uses Replication Schema version 13. Supported OKM management platforms for the GUI and CLI are documented in the OKM product release notes, which include specific considerations for Oracle Solaris and Microsoft Windows platforms.
2. Create a key policy and key group, configure an agent, and associate that agent with the key group as its default key group. For more information, see Configure the OKM Cluster for TDE.

   Note:

   The agent should be configured to disable the One Time Passphrase property. See Create an Agent or View and Modify Agents.

Install pkcs11_kms on Solaris 11

Install pkcs11_kms for ZFS using the same procedures used for TDE.

To install Oracle's PKCS#11 provider, pkcs11_kms, on the Solaris 11 system, perform the steps described in Install pkcs11_kms.

Configure pkcs11_kms on Solaris 11

Configure pkcs11_kms for ZFS by using the same procedures as TDE.

To configure pkcs11_kms on the Solaris 11 system, perform Steps 2 and 3 as described in Configure kcs11_kms. Disregard references to Oracle RAC, as they do not apply in an OKM/ZFS integration.

Configure ZFS to use pkcs11_kms

Generate a key in the pkcs11_kms provider and configure ZFS to use this key when encrypting files in file systems contained in a particular ZFS pool.

Use the Solaris pktool genkey command to create an AES 256-bit key.

1. At the "Enter PIN for KMS" prompts, enter the passphrase of the agent that was provided to the kmscfg utility when you configured pkcs11_kms.

   For example:

   # pktool list token=KMS objtype=key 
   Enter PIN for KMS: 
   # pktool genkey keystore=pkcs11 token=KMS keytype=aes keylen=256 label=zfscrypto_key_256 
   Enter PIN for KMS: 
   # pktool list token=KMS objtype=key label=zfscrypto_key_256 
   Enter PIN for KMS: 
   

2. Use the zfs create command to configure ZFS to use this key.

   In the "keysource" argument of the zfs create command, specify the label of key that you generated above.

   At the "Enter 'KMS' PKCS#11 token PIN" prompts, enter the passphrase of the agent.

   For example:

   # zfs create -o encryption=aes-256-ccm -o keysource="raw,pkcs11:token=KMS;object=zfscrypto_key_256" cpool_nd/cfs 
   Enter 'KMS' PKCS#11 token PIN for 'cpool_nd/cfs':