Creating an Encrypted Pool (CLI)

For more detailed information about creating a pool, see Creating a Storage Pool (CLI).

Pool keystore and key name values can be changed at any point after the pool has been created. However, you cannot add encryption information to a pool that was already created as unencrypted.

Any dataset that is created in an encrypted pool will also be encrypted. You cannot create unencrypted projects or shares on an encrypted pool.

Before You Begin

To create an encrypted storage pool, upgrade to software release OS8.8.0 or later and accept all deferred updates, including "Enable Pool Encryption." See Enable Pool Encryption Deferred Update in Oracle ZFS Storage Appliance Customer Service Manual, Release OS8.8.x.

The encryption key must be created before you can create an encrypted pool. See Data Encryption.

Because the keystore must be configured before the pool is created, you cannot create an encrypted pool at initial system configuration or after factory reset.
Before setting up replication for a share or project in a encrypted pool, ensure that the encryption key used at the source is also available at the target.

Go to configuration storage.
Enter config and a name for the new storage pool.
Enter show to see the device information for the pool.
Enter set and the disk shelf or controller ID, and the number of data drives to use. You can also select available cache, meta, and log devices.

For more information about selecting data drives and meta devices, see Creating a Storage Pool (CLI).
Enter done.
Enter show to display the profile.
If you allocated log devices to the pool, enter set log_profile= and set the log profile to either log_mirror or log_stripe. Use log_mirror if the pool contains an even number of log devices.
If you allocated meta devices to the pool, enter set meta_profile= and set the meta profile to either meta_mirror or meta_stripe.

Set the encryption type, keystore, and key name using properties encryption, keystore, and keyname.

The properties encryption, keystore, and keyname are hidden and immutable if a keystore is not configured. The encryption key must be created before you create the pool. See Data Encryption.

By default, encryption is set to off.

hostname:configuration storage (pool1) config> ls
             PROFILE          CAPCTY NSPF DESCRIPTION
   profile = mirror           4.92G  no   Mirrored
             mirror3          4.92G  no   Triple mirrored
             stripe           14.8G  no   Striped

encryption = off
   keyname =
  keystore =

Set an encryption type (see Understanding Encryption Key Values), a keystore, and a key name. If encryption is not off, then keystore and keyname must be set.

hostname:configuration storage (pool1) config> set encryption=aes-128-ccm
                    encryption = aes-128-ccm
hostname:configuration storage (pool1) config> set keystore=LOCAL
                      keystore = LOCAL
hostname:configuration storage (pool1) config> set keyname=MyKey
                       keyname = MyKey

Enter done to complete the task.
```
hostname:configuration storage config (pool1)> done
```
Check the values.
```
hostname:configuration storage (pool1)> get encryption keystore keyname keystatus
                    encryption = aes-128-ccm
                      keystore = LOCAL
                       keyname = MyKey
                     keystatus = available
```
Once selected, the encryption value is immutable. However, the keystore and keyname values can be changed at any time. See Changing a Pool Encryption Key (CLI).

All projects created under this pool are automatically encrypted with these encryption values, though the keystore and keyname values can be changed. See Creating an Encrypted Project (CLI).