Editing Encryption

Jump to: navigation, search

Warning: You are not logged in.

Your IP address will be recorded in this page's edit history.
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 8: Line 8:
 
<code># zpool set feature@encryption=enabled [pool]</code>
 
<code># zpool set feature@encryption=enabled [pool]</code>
  
On an zpool that supports encryption, an encrypted zfs dataset may be created as follows:
+
On an zpool that supports encryption, a encrypted zfs dataset may be created as follows:
  
 
<code># zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase [dataset]</code>
 
<code># zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase [dataset]</code>
Line 18: Line 18:
 
<code># zfs mount -l [dataset]</code>
 
<code># zfs mount -l [dataset]</code>
  
This will prompt for the encryption passphrase for this zfs dataset and mount the encrypted dataset; it will not mount any child datasets of the encrypted dataset, but they will be accessible as subdirectories of the encrypted dataset.  If the encryption passphrase is stored in the Keychain as a generic password under the name of the dataset, security(1) may be used to retrieve the passphrase as follows:
+
This will prompt for the encryption passphrase for this zfs dataset.  If the encryption passphrase is stored in the Keychain as a generic password under the name of the dataset, security(1) may be used to retrieve the passphrase as follows:
  
 
<code># security find-generic-password -a [dataset] -w | zfs mount -l [dataset]</code>
 
<code># security find-generic-password -a [dataset] -w | zfs mount -l [dataset]</code>
 
One common use case for an encrypted volume is a portable backup drive.  Typically the user will create snapshots on the source drive in the computer, and then transmit them to the portable drive using zfs send and receive.  In this scenario it is helpful if the destination dataset on the portable drive is read only, since then there is no need to roll back the destination dataset on the fly to the last valid snapshot.  To make this work with encryption, place the destination dataset as a child dataset of the encrypted dataset in the zpool of the portable drive; because it is a child of the encrypted dataset it, too, will be encrypted.  More importantly, it can be made read-only, whereas it appears that the encrypted parent dataset cannot be read-only (probably so that the key can be stored locally in the parent dataset).
 
  
 
Additional helpful information about zfs encryption can be found in the [https://blog.heckel.xyz/2017/01/08/zfs-encryption-openzfs-zfs-on-linux/ How-To: Using ZFS Encryption at Rest in OpenZFS (ZFS on Linux, ZFS on FreeBSD, …)].
 
Additional helpful information about zfs encryption can be found in the [https://blog.heckel.xyz/2017/01/08/zfs-encryption-openzfs-zfs-on-linux/ How-To: Using ZFS Encryption at Rest in OpenZFS (ZFS on Linux, ZFS on FreeBSD, …)].

Please note that all contributions to OpenZFS on OS X may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see OpenZFS on OS X:Copyrights for details). Do not submit copyrighted work without permission!

Cancel | Editing help (opens in new window)