1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Data Encryption
  3. Creating an Encrypted Pool (BUI)

Creating an Encrypted Pool (BUI)

For more detailed information about creating a pool, see Creating a Storage Pool (BUI).

Pool keystore and key name values can be changed at any point after the pool has been created. However, you cannot add encryption information to a pool that was already created as unencrypted.

Any dataset that is created in an encrypted pool will also be encrypted. You cannot create unencrypted projects or shares on an encrypted pool.

Before You Begin

To create an encrypted storage pool, upgrade to software release OS8.8.0 or later and accept all deferred updates, including "Enable Pool Encryption." See Enable Pool Encryption Deferred Update in Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x.

The encryption key must be created before you can create an encrypted pool. See Data Encryption.

  • Because the keystore must be configured before the pool is created, you cannot create an encrypted pool at initial system configuration or after factory reset.
  • Before setting up replication for a share or project in a encrypted pool, ensure that the encryption key used at the source is also available at the target.
  1. From the Configuration menu, select Storage.
  2. Next to Available Pools, click the add icon image showing the add icon .
  3. Type a name for the storage pool, and click APPLY.
  4. Select the number of data drives for the storage pool for each disk shelf. You can also select available log, cache, and meta devices.

    For more information about selecting data drives and meta devices, see Creating a Storage Pool (BUI).

  5. Click COMMIT.

    The drives are allocated to the storage pool, and verified for presence and minimum functionality. If verification fails, click ABORT, fix the problem, and begin this procedure again. If you allocate a pool with missing or failed devices, you will not be able to add the missing or failed devices later.

  6. On the Choose Storage Profile screen, select the data profile that meets your reliability, availability, serviceability, and performance goals.

    For a description of each profile, click on the data profile name, or see Data Profiles for Storage Pools.

  7. If you allocated log, cache, or meta devices, select the appropriate profiles.

    For more information, see Creating a Storage Pool (BUI).

  8. Set the encryption type, keystore, and key name.

    Use the fields Encryption and Key in the section Optional Settings at the bottom of the Choose Storage Profile screen.

    The Encryption field is disabled if no keystore is configured: The encryption key must be created before you create the pool. See Data Encryption.

    By default, Encryption is set to Off and Key is disabled. When you select a type in the Encryption field (see Understanding Encryption Key Values), then you must select a keystore and a key name in the Key field.

  9. Click COMMIT.

    Once selected, the Encryption value is immutable. However, the Key values can be changed at any time. See Changing a Pool Encryption Key (BUI).

    All projects created under this pool are automatically encrypted with these encryption values, though the Key values can be changed. See Creating an Encrypted Project (BUI).

Related Topics