6 Replies Latest reply: Dec 6, 2012 6:22 AM by Darrenmoffat-Oracle RSS

    How can i encrypt a zfs partition

    1502
      I have the need to encrypt a zfs file system in solaris 11.
      and solaris 11 disk. any ideas?
      Solaris 11 is installed in a laptop.
        • 1. Re: How can i encrypt a zfs partition
          933584
          Its pretty simple, zfs create -o encryption=on tank/whatever

          Here is the documentation on it.
          http://www.oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html
          • 2. Re: How can i encrypt a zfs partition
            Cindys-Oracle
            Keep in mind that you encrypt file systems and not disks. However, you can basically
            encrypt all data on a disk by creating an encrypted top-level file system, like this:

            1. Create the pool:

            # zpool create tank mirror c0t5000C500335F4C7Fd0 c0t5000C500335FC6F3d0

            2. Create the encrypted top-level file system.
            # zfs create -o encryption=on tank/home
            Enter passphrase for 'tank/home': xxxxxxx
            Enter again: xxxxxxx

            3. Create descendent file systems.

            # zfs get encryption tank/home/amy
            NAME PROPERTY VALUE SOURCE
            tank/home/amy encryption on inherited from tank/home

            You can also change the encryption methods for specific file systems.

            See this doc as well:

            http://docs.oracle.com/cd/E26502_01/html/E29007/gkkih.html#scrolltoc

            Thanks, Cindy
            • 3. Re: How can i encrypt a zfs partition
              1502
              Thank You
              • 4. Re: How can i encrypt a zfs partition
                1502
                have more questions
                • 5. Re: How can i encrypt a zfs partition
                  1502
                  Can i encrypt a only home directories ? without encrypting zfs partitions?
                  • 6. Re: How can i encrypt a zfs partition
                    Darrenmoffat-Oracle
                    Yes, just enable the encryption property on the home directory datasets and not any others.

                    Since what you want to protect is a users home directory you probably also want to use the pam_zfs_key module so that when you login it will automatically mount up the encrypted dataset using the same (or different) passphrase as your login password.

                    See the examples in the pam_zfs_key(5) man page for how to configure it.

                    Edited by: rukbat on Dec 6, 2012 7:18 AM
                    Moderator Action:
                    I edited the URL to the man page link, for better readability.
                    (If you wish yo see how it's done, go "edit" your own reply and examine the text. Then exit the edit session to leave it be.)