This discussion is archived
1 Reply Latest reply: Sep 25, 2012 7:00 AM by DarrenMoffat RSS

ZFS encryption without typing password explicitly

user9368043 Newbie
Currently Being Moderated
I have installed Solaris 11 and would like to encrypt my zpool. However, as the computer gets started and halted automatically, I cannot type the password manually when mounting the pool. Is there a way to achieve this (e.g. by allowing the zpool do decrypt automatically when the HD is connected to some fixed configuration of HW)?

Thanks in advance,
Dusan R.
  • 1. Re: ZFS encryption without typing password explicitly
    DarrenMoffat Explorer
    Currently Being Moderated
    There are a few possible solutions to this.

    1) If all the encrypted datasets are below your home directory ZFS dataset you can use pam_zfs_key module to prompt you for the passphrase at login time.
    2) You can put the key material on an https accessible URL on another machine by using a keysource property value such as:
    zfs create -o encryption=on -o keysource=raw,https:///example.com/key or
    zfs create -o encryption=on -o keysource=passphrase,https://example.com/pass

    3) You can use the Oracle Key Manager appliance by using the pkcs11 uri syntax for the keysource and using pktool(1) genkey to create the wrapping key on the OKM

    4) You can use the keysource property with raw,file:// to point to a file on some other media (eg a removable USB disk) that is mounted before the encrypted datasets.

    See the following documentation, blog and OTN entries for some examples:

    http://docs.oracle.com/cd/E23824_01/html/821-1448/gkkih.html#scrolltoc
    https://blogs.oracle.com/darren/entry/introducing_zfs_crypto_in_oracle
    https://blogs.oracle.com/darren/entry/user_user_home_directory_encryption
    http://www.oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points