1. Oracle ZFS Storage Appliance RESTful API Guide, Release OS8.8.x
  2. Storage Encryption

14 Storage Encryption

Pools, projects, and shares can be encrypted. If a pool is encrypted, then each child project and share is encrypted and inherits encryption property values from the pool. If encryption property values are specified for a project, then the inherited values are not used, and child shares inherit the local values specified for the project. An encrypted project can be created in an unencrypted pool. An unencrypted project cannot be created in an encrypted pool.

If a project is encrypted, then each child share is encrypted and inherits encryption property values from the project. If encryption property values are specified for a share, then the inherited values are not used. An encrypted share can be created in an unencrypted project. An unencrypted share cannot be created in an encrypted project.

Create an Encrypted Pool, Project, or Share

To create an encrypted pool, project, or share, specify values for the encryption, keystore, and keyname properties, in addition to the required properties described in Configure Pool, Create Project, Create Filesystem, and Create a New LUN.

The following table describes encryption properties for a particular pool, project, or share.

Table 14-1 Encryption Properties for Pools, Projects, and Shares

Property Type Description

encryption

string

AES encryption type and key length

keystore

string

Type of keystore: local, okm, or kmip

keyname

string

A specific key name

keylastchanged

string

(Read-only) The date that the key was last changed. This value is in ISO-8601 datetime format in v2 and in Javascript datetime format in v1. If the value is empty, then this key has not been changed since it was created.

keystatus

string

(Read-only) Either available or unavailable, or none. If the value of this property is unavailable, then the key has been deleted.

Example Request:

POST /api/storage/v2/pools/p1/projects HTTP/1.1
Host: zfs-storage.example.com:215
Content-Type: application/json
Accept: application/json

{
    "name": "proj-enc",
    "encryption": "aes-128-ccm",
    "keystore": "local",
    "keyname": "Key-0"
}

Example Result:

HTTP/1.1 201 Created
Content-Type: application/json
Location: http://zfs-storage.example.com:215/pools/p1/projects/proj-enc

{
    "project": {
        "name": "proj-enc",
        "href": "/api/storage/v2/pools/p1/projects/proj-enc",
        ...
        "encryption": "aes-128-ccm",
        "keystore": "local",
        "keychangedate": "",
        "keystatus": "available",
        "keyname": "Key-0",
        ...
    }
}