| Solaris |
|
|
ZFS Encryption FAQ
ZFS Encryption Frequently Asked Questions (FAQ)
- What is ZFS encryption?
- How do I encrypt ZFS data?
- Can I enable encryption on an existing file system or volume?
- Can I enable encryption on an existing pool?
- Can I migrate an existing unencrypted file system to an encrypted file system by using zfs send and zfs receive?
- Can I migrate an existing unencrypted ZFS volume to an encrypted ZFS volume by using zfs send and zfs receive?
- Can I boot from an encrypted file system?
- Can I enable compression or deduplication on an encrypted file system?
- Can a user have an encrypted home directory?
- How should I manage my encryption keys?
What is ZFS encryption?
Encryption is the process where data is encoded for privacy and a key is needed by the data owner to access the encoded data.
See Darren's blog that briefly describes ZFS encryption in the Oracle Solaris 11 Express release.
How do I encrypt ZFS data?
You can encrypt a ZFS file system when it is created by setting the encryption property to on.
# zfs create -o encryption=on tank/home/darren
Can I enable encryption on an existing file system or volume?
No, encryption can only be enabled or disabled at creation time. This policy ensures that all the data in a ZFS file system or volume is always encrypted. This feature is very important because ZFS is copy-on-write and does not overwrite data that is in place.
Can I enable encryption on an existing pool?
Yes, the pool must be upgraded to pool version 30 to allow encrypted ZFS file systems and volumes.
Can I migrate an existing unencrypted file system to an encrypted file system by using zfs send and zfs receive?
Not at this time, but this feature is being considered. You can use the cp -r, find | cpio, tar, or rync commands to migrate unencrypted file system data to a file system with encryption enabled.
Can I migrate an existing unencrypted ZFS volume to an encrypted ZFS volume by using zfs send and zfs receive?
Yes, if the properties are NOT sent by using the zfs send -p option and this is not a replication stream by using the zfs send -R option, then this operation is allowed.
Can I boot from an encrypted file system?
No.
Can I enable compression or deduplication on an encrypted file system?
Yes, you can enable compression and deduplication on an encrypted file system. For descendent file systems, such as clones, data will be deduped provided that the zfs key -K or zfs clone -K operations, which change the data encryption keys, have not be used on the clone file systems.
Can a user have an encrypted home directory?
Yes. A PAM module to assist with encrypting users' home directories is being considered
How should I manage my encryption keys?
- Wrapping key - The key that you provide to encrypt the data encryption keys, such as a passphrase or a hex file that is generated by the pktool command, and is specified when the encrypted file system is created.
- You can use the zfs key -c command to change the wrapping key according to your organization's policy. For more information, see the NIST SP800-57 link below.
- If you lose your encrypted file system's wrapping key, your encrypted data is lost. No backdoor recovery
exists to restore your lost keys. - Your encrypted file system's wrapping key should be backed up and stored in a secure location,
such as a fireproof safe.
- Data encryption key - The internal data encryption key is stored in the kernel. You can use the zfs key -K and zfs clone -K commands to change the data encryption keys. Change these keys according to your organization's policy and see the NIST 800-57 link below, as an example.
- You can change these keys very frequently, but we don't recommend it. Frequent key changes can increase kernel memory requirements and could impact performance of reads and writes, if there are an excessive number of data encryption keys.
- NIST SP800-57, see Section 5.3.6 Crytpoperiod Recommendation for Specific Key Types in Table 1, which says less than or equal to 2 years for both the data encryption key and wrapping key.
Terms of Use
|
Privacy
|
Trademarks
|
Copyright Policy
|
Site Guidelines
|
Site Map
|
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2012, Oracle Corporation and/or its affiliates.