ZFS On-Disk Encryption Support

The ZFS encryption project is no longer active on this website so information here might be out of date. Oracle Solaris 11 ZFS encryption resources are available here:

Status

This project has completed.

For further information please see the following links.

Oracle Solaris 11 documentation for ZFS encryption

Blog entries by developers:

http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle
http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset
http://blogs.sun.com/darren/entry/compress_encrypt_checksum_deduplicate_with
http://blogs.sun.com/darren/entry/choosing_a_value_for_the
http://blogs.sun.com/darren/entry/zfs_encryption_what_is_on

Interview with Cindy Swearingen

What are we doing ?

This project will provide on disk encryption/decryption support for ZFS datasets. The project will cover the addition of encryption and decryption to the ZFS IO pipeline and the key management for ZFS datasets.

It will support different key management strategies by allowing scripting of the zfs(1) command for key load/unload/change and an API in libzfs.

Documentation

Logging Bugs:

Bugs are tracked in Bugster: development/zfs/ with zfs-crypto keyword.

See the Project Plan page for more details.

Features

Per dataset policy for enabling encryption, including algorithm and key length.
Per dataset data encryption keys wrapped by a dataset level key
Inherited when keyscope property is inherited
Dataset wrapping key from passphrase using PKCS#5 PBE
Dataset wrapping key in file/stdin as raw bits or in hex
Encrypted swap via encrypted ZVOL
Support for encrypted dump ZVOL
NO support for encrypted boot filesystem

Futures

PAM module for user home directory with per dataset keying. (Currently implemented but not included in ARC reviewed content).
Wrapping keys in PKCS#11 keystore, eg SCA-6000, TPM, Smartcard

Tags:

Created by on 2009/10/26 11:40

Last modified by Cindy Swearingen on 2011/11/09 17:55