This discussion is archived
6 Replies Latest reply: Dec 6, 2012 4:22 AM by DarrenMoffat RSS

How can i encrypt a zfs partition

1502 Newbie
Currently Being Moderated
I have the need to encrypt a zfs file system in solaris 11.
and solaris 11 disk. any ideas?
Solaris 11 is installed in a laptop.
  • 1. Re: How can i encrypt a zfs partition
    933584 Newbie
    Currently Being Moderated
    Its pretty simple, zfs create -o encryption=on tank/whatever

    Here is the documentation on it.
    http://www.oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html
  • 2. Re: How can i encrypt a zfs partition
    cindys Pro
    Currently Being Moderated
    Keep in mind that you encrypt file systems and not disks. However, you can basically
    encrypt all data on a disk by creating an encrypted top-level file system, like this:

    1. Create the pool:

    # zpool create tank mirror c0t5000C500335F4C7Fd0 c0t5000C500335FC6F3d0

    2. Create the encrypted top-level file system.
    # zfs create -o encryption=on tank/home
    Enter passphrase for 'tank/home': xxxxxxx
    Enter again: xxxxxxx

    3. Create descendent file systems.

    # zfs get encryption tank/home/amy
    NAME PROPERTY VALUE SOURCE
    tank/home/amy encryption on inherited from tank/home

    You can also change the encryption methods for specific file systems.

    See this doc as well:

    http://docs.oracle.com/cd/E26502_01/html/E29007/gkkih.html#scrolltoc

    Thanks, Cindy
  • 3. Re: How can i encrypt a zfs partition
    1502 Newbie
    Currently Being Moderated
    Thank You
  • 4. Re: How can i encrypt a zfs partition
    1502 Newbie
    Currently Being Moderated
    have more questions
  • 5. Re: How can i encrypt a zfs partition
    1502 Newbie
    Currently Being Moderated
    Can i encrypt a only home directories ? without encrypting zfs partitions?
  • 6. Re: How can i encrypt a zfs partition
    DarrenMoffat Explorer
    Currently Being Moderated
    Yes, just enable the encryption property on the home directory datasets and not any others.

    Since what you want to protect is a users home directory you probably also want to use the pam_zfs_key module so that when you login it will automatically mount up the encrypted dataset using the same (or different) passphrase as your login password.

    See the examples in the pam_zfs_key(5) man page for how to configure it.

    Edited by: rukbat on Dec 6, 2012 7:18 AM
    Moderator Action:
    I edited the URL to the man page link, for better readability.
    (If you wish yo see how it's done, go "edit" your own reply and examine the text. Then exit the edit session to leave it be.)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points