JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: ZFS File Systems     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Oracle Solaris ZFS File System (Introduction)

2.  Getting Started With Oracle Solaris ZFS

3.  Managing Oracle Solaris ZFS Storage Pools

4.  Managing ZFS Root Pool Components

5.  Managing Oracle Solaris ZFS File Systems

Managing ZFS File Systems (Overview)

Creating, Destroying, and Renaming ZFS File Systems

Creating a ZFS File System

Destroying a ZFS File System

Renaming a ZFS File System

Introducing ZFS Properties

ZFS Read-Only Native Properties

The used Property

Settable ZFS Native Properties

The canmount Property

The casesensitivity Property

The copies Property

The dedup Property

The encryption Property

The recordsize Property

The share.smb Property

The volsize Property

ZFS User Properties

Querying ZFS File System Information

Listing Basic ZFS Information

Creating Complex ZFS Queries

Managing ZFS Properties

Setting ZFS Properties

Inheriting ZFS Properties

Querying ZFS Properties

Querying ZFS Properties for Scripting

Mounting ZFS File Systems

Managing ZFS Mount Points

Automatic Mount Points

Legacy Mount Points

Mounting ZFS File Systems

Using Temporary Mount Properties

Unmounting ZFS File Systems

Sharing and Unsharing ZFS File Systems

Legacy ZFS Sharing Syntax

New ZFS Sharing Syntax

ZFS Sharing with Per-Property Inheritance

ZFS Sharing Inheritance in Older Pools

ZFS Named Shares

ZFS Automatic Shares

Displaying ZFS Share Information

Changing a ZFS Share Property Values

Publishing and Unpublishing ZFS Shares

Removing a ZFS Share

ZFS File Sharing Within a Non-Global Zone

ZFS Sharing Migration/Transition Issues

Troubleshooting ZFS File System Sharing Problems

Setting ZFS Quotas and Reservations

Setting Quotas on ZFS File Systems

Setting User and Group Quotas on a ZFS File System

Setting Reservations on ZFS File Systems

Encrypting ZFS File Systems

Changing an Encrypted ZFS File System's Keys

Managing ZFS Encryption Keys

Delegating ZFS Key Operation Permissions

Mounting an Encrypted ZFS File System

Upgrading Encrypted ZFS File Systems

Interactions Between ZFS Compression, Deduplication, and Encryption Properties

Examples of Encrypting ZFS File Systems

Migrating ZFS File Systems

How to Migrate a File System to a ZFS File System

Troubleshooting ZFS File System Migrations

Upgrading ZFS File Systems

6.  Working With Oracle Solaris ZFS Snapshots and Clones

7.  Using ACLs and Attributes to Protect Oracle Solaris ZFS Files

8.  Oracle Solaris ZFS Delegated Administration

9.  Oracle Solaris ZFS Advanced Topics

10.  Oracle Solaris ZFS Troubleshooting and Pool Recovery

11.  Archiving Snapshots and Root Pool Recovery

12.  Recommended Oracle Solaris ZFS Practices

A.  Oracle Solaris ZFS Version Descriptions

Index

Encrypting ZFS File Systems

Encryption is the process where data is encoded for privacy and a key is needed by the data owner to access the encoded data. The benefits of using ZFS encryption are as follows:

You can set an encryption policy when a ZFS file system is created, but the policy cannot be changed. For example, the tank/home/darren file system is created with the encryption property enabled. The default encryption policy is to prompt for a passphrase, which must be a minimum of 8 characters in length.

# zfs create -o encryption=on tank/home/darren
Enter passphrase for 'tank/home/darren': xxxxxxx
Enter again: xxxxxxxx

Confirm that the file system has encryption enabled. For example:

# zfs get encryption tank/home/darren
NAME              PROPERTY    VALUE        SOURCE
tank/home/darren  encryption  on           local

The default encryption algorithm is aes-128-ccm when a file system's encryption value is on.

A wrapping key is used to encrypt the actual data encryption keys. The wrapping key is passed from the zfs command, as in the above example when the encrypted file system is created, to the kernel. A wrapping key is either in a file (in raw or hex format) or it is derived from a passphrase.

The format and location of the wrapping key are specified in the keysource property as follows:

keysource=format,location

If the keysource format is passphrase, then the wrapping key is derived from the passphrase. Otherwise, the keysource property value points to the actual wrapping key, as raw bytes or in hexidecimal format. You can specify that the passphrase is stored in a file or stored in a raw stream of bytes that are prompted for, which is likely only suitable for scripting.

When a file system's keysource property values identifies passphrase, then the wrapping key is derived from the passphrase using PKCS#5 PBKD2 and a per file system randomly generated salt. This means that the same passphrase generates a different wrapping key if used on descendent file systems.

A file system's encryption policy is inherited by descendent file systems and cannot be removed. For example:

# zfs snapshot tank/home/darren@now
# zfs clone tank/home/darren@now tank/home/darren-new
Enter passphrase for 'tank/home/darren-new': xxxxxxx
Enter again: xxxxxxxx
# zfs set encryption=off tank/home/darren-new
cannot set property for 'tank/home/darren-new': 'encryption' is readonly

If you need to copy or migrate encrypted or unencrypted ZFS file systems, then consider the following points:

Changing an Encrypted ZFS File System's Keys

You can change an encrypted file system's wrapping key by using the zfs key -c command. The existing wrapping key must have been loaded first, either at boot time or by explicitly loading the file system key (zfs key -l) or by mounting the file system (zfs mount filesystem). For example:

# zfs key -c tank/home/darren
Enter new passphrase for 'tank/home/darren': xxxxxxxx
Enter again: xxxxxxxx

In the following example, the wrapping key is changed and the keysource property value is changed to specify that the wrapping key comes from a file.

# zfs key -c -o keysource=raw,file:///media/stick/key tank/home/darren

The data encryption key for an encrypted file system can be changed by using the zfs key -K command, but the new encryption key is only used for newly written data. This feature can be used to provide compliance with NIST 800-57 guidelines on a data encryption key's time limit. For example:

# zfs key -K tank/home/darren

In the above example, the data encryption key is not visible nor is it directly managed by you. In addition, you need the keychange delegation to perform a key change operation.

The following encryption algorithms are available:

The ZFS keysource property identifies the format and location of the key that wraps the file system's data encryption keys. For example:

# zfs get keysource tank/home/darren
NAME              PROPERTY   VALUE              SOURCE
tank/home/darren  keysource  passphrase,prompt  local

The ZFS rekeydate property identifies the date of the last zfs key -K operation. For example:

# zfs get rekeydate tank/home/darren
NAME              PROPERTY   VALUE                  SOURCE
tank/home/darren  rekeydate  Wed Jul 25 16:54 2012  local

If an encrypted file system's creation and rekeydate properties have the same value, the file system has never been rekeyed by an zfs key -K operation.

Managing ZFS Encryption Keys

ZFS encryption keys can be managed in different ways, depending on your needs, either on the local system or remotely, if a centralized location is needed.

For more information about managing ZFS encryption keys, see

http://www.oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html

For information about using Oracle Key Manager to manage key information, see:

http://docs.oracle.com/cd/E24472_02/

Delegating ZFS Key Operation Permissions

Review the following permission descriptions for delegating key operations:

Consider delegating separate permissions for key use (load or unload) and key change, which allows you to have a two-person key operation model. For example, determine which users can use the keys verses which users can change them. Or, both users need to be present for a key change. This model also allows you to build a key escrow system.

Mounting an Encrypted ZFS File System

Review the following considerations when attempting to mount an encrypted ZFS file system:

Upgrading Encrypted ZFS File Systems

Before you upgrade a Solaris 11 system to Solaris 11.1, ensure that your encrypted file systems are mounted. Mount the encrypted file systems and provide the passphrases, if prompted.

# zfs mount -a
Enter passphrase for 'pond/amy': xxxxxxxx
Enter passphrase for 'pond/rory': xxxxxxxx
# zfs mount | grep pond
pond                            /pond
pond/amy                        /pond/amy
pond/rory                       /pond/rory

Then, upgrade the encrypted file systems.

# zfs upgrade -a

If you attempt to upgrade encrypted ZFS file systems that are unmounted, a message similar to the following is displayed:

# zfs upgrade -a
cannot set property for 'pond/amy': key not present

In addition, the zpool status output might show corrupted data.

# zpool status -v pond
.
.
.
        pond/amy:<0x1>
        pond/rory:<0x1>

If the above errors occur, remount the encrypted file systems as directed above. Then, scrub and clear the pool errors.

# zpool scrub pond
# zpool clear pond

For more information about upgrading file systems, see Upgrading ZFS File Systems.

Interactions Between ZFS Compression, Deduplication, and Encryption Properties

Review the following considerations when using the ZFS compression, deduplication, and encryption properties:

Examples of Encrypting ZFS File Systems

Example 5-1 Encrypting a ZFS File System by Using a Raw Key

In the following example, an aes-256-ccm encryption key is generated by using the pktool command and is written to a file, /cindykey.file.

# pktool genkey keystore=file outkey=/cindykey.file keytype=aes keylen=256

Then, the /cindykey.file is specified when the tank/home/cindy file system is created.

# zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///cindykey.file 
tank/home/cindy

Example 5-2 Encrypting a ZFS File System With a Different Encryption Algorithm

You can create a ZFS storage pool and have all the file systems in the storage pool inherit an encryption algorithm. In this example, the users pool is created and the users/home file system is created and encrypted by using a passphrase. The default encryption algorithm is aes-128-ccm.

Then, the users/home/mark file system is created and encrypted by using the aes-256-ccm encryption algorithm.

# zpool create -O encryption=on users mirror c0t1d0 c1t1d0 mirror c2t1d0 c3t1d0
Enter passphrase for 'users': xxxxxxxx
Enter again: xxxxxxxx
# zfs create users/home
# zfs get encryption users/home
NAME        PROPERTY    VALUE        SOURCE
users/home  encryption  on           inherited from users
# zfs create -o encryption=aes-256-ccm users/home/mark
# zfs get encryption users/home/mark
NAME               PROPERTY    VALUE        SOURCE
users/home/mark    encryption  aes-256-ccm  local

Example 5-3 Cloning an Encrypted ZFS File System

If the clone file system inherits the keysource property from the same file system as its origin snapshot, then a new keysource is not necessary, and you are not prompted for a new passphrase if keysource=passphrase,prompt. The same keysource is used for the clone. For example:

By default, you are not prompted for a key when cloning a descendent of an encrypted file system.

# zfs create -o encryption=on tank/ws
Enter passphrase for 'tank/ws': xxxxxxxx
Enter again: xxxxxxxx
# zfs create tank/ws/fs1
# zfs snapshot tank/ws/fs1@snap1
# zfs clone tank/ws/fs1@snap1 tank/ws/fs1clone

If you want to create a new key for the clone file system, use the zfs clone -K command.

If you clone an encrypted file system rather than a descendent encrypted file system, you are prompted to provide a new key. For example:

# zfs create -o encryption=on tank/ws
Enter passphrase for 'tank/ws': xxxxxxxx
Enter again: xxxxxxxx
# zfs snapshot tank/ws@1
# zfs clone tank/ws@1 tank/ws1clone
Enter passphrase for 'tank/ws1clone': xxxxxxxx
Enter again: xxxxxxxx

Example 5-4 Sending and Receiving an Encrypted ZFS File System

In the following example, the tank/home/darren@snap1 snapshot is created from the encrypted /tank/home/darren file system. Then, the snapshot is sent to bpool/snaps, with the encryption property enabled so the resulting received data is encrypted. However, the tank/home/darren@snap1 stream is not encrypted during the send process.

# zfs get encryption tank/home/darren
NAME              PROPERTY    VALUE        SOURCE
tank/home/darren  encryption  on           local
# zfs snapshot tank/home/darren@snap1
# zfs get encryption bpool/snaps
NAME         PROPERTY    VALUE        SOURCE
bpool/snaps  encryption  on           inherited from bpool
# zfs send tank/home/darren@snap1 | zfs receive bpool/snaps/darren1012
# zfs get encryption bpool/snaps/darren1012
NAME                    PROPERTY    VALUE        SOURCE
bpool/snaps/darren1012  encryption  on           inherited from bpool

In this case, a new key is automatically generated for the received encrypted file system.