1 Reply Latest reply on Sep 25, 2012 2:00 PM by Darren Moffat-Oracle

    ZFS encryption without typing password explicitly

      I have installed Solaris 11 and would like to encrypt my zpool. However, as the computer gets started and halted automatically, I cannot type the password manually when mounting the pool. Is there a way to achieve this (e.g. by allowing the zpool do decrypt automatically when the HD is connected to some fixed configuration of HW)?

      Thanks in advance,
      Dusan R.
        • 1. Re: ZFS encryption without typing password explicitly
          Darren Moffat-Oracle
          There are a few possible solutions to this.

          1) If all the encrypted datasets are below your home directory ZFS dataset you can use pam_zfs_key module to prompt you for the passphrase at login time.
          2) You can put the key material on an https accessible URL on another machine by using a keysource property value such as:
          zfs create -o encryption=on -o keysource=raw,https:///example.com/key or
          zfs create -o encryption=on -o keysource=passphrase,https://example.com/pass

          3) You can use the Oracle Key Manager appliance by using the pkcs11 uri syntax for the keysource and using pktool(1) genkey to create the wrapping key on the OKM

          4) You can use the keysource property with raw,file:// to point to a file on some other media (eg a removable USB disk) that is mounted before the encrypted datasets.

          See the following documentation, blog and OTN entries for some examples: