Ok, now we're ready to finally create an encrypted dataset. For the encryption key, you have different options. From the man-page:
keyformat=raw | hex | passphrase Controls what format the user's encryption key will be provided as. This property is only set when the dataset is encrypted. Raw keys and hex keys must be 32 bytes long (regardless of the chosen encryption suite) and must be randomly generated. Passphrases must be between 8 and 64 bytes long and will be processed through PBKDF2 before being used (see the pbkdf2iters property). Even though the encryption suite cannot be changed after dataset cre ation, the keyformat can be with zfs change-key.
For this example, we'll use a random file of 32 bytes long:
$ dd if=/dev/urandom of=zfs.key.raw bs=1 count=32 32+0 records in 32+0 records out 32 bytes copied, 0.000479432 s, 66.7 kB/s $ hexdump -C zfs.key.raw 00000000 44 88 d2 a7 fd 44 5a 09 f6 5b bc 5b 67 b4 43 52 |D....DZ..[.[g.CR| 00000010 85 a5 c7 59 20 fc 34 bc 49 2b d9 65 8c e4 d9 5b |...Y .4.I+.e...[| 00000020
Now that we have the key, we can create our new shiny encrypted dataset.
$ sudo zfs create \ -o compression=on \ -o encryption=on \ -o keyformat=raw \ -o keylocation=file:///home/vagrant/zfs.key.raw \ zfs_test/bbb $ sudo zfs list NAME USED AVAIL REFER MOUNTPOINT zfs_test 50.4M 310M 25K /zfs_test zfs_test/aaa 48.9M 310M 48.9M /zfs_test/aaa zfs_test/bbb 1.33M 310M 1.33M /zfs_test/bbb $ sudo zfs get encryption zfs_test/aaa NAME PROPERTY VALUE SOURCE zfs_test/aaa encryption off default $ sudo zfs get encryption zfs_test/bbb NAME PROPERTY VALUE SOURCE zfs_test/bbb encryption aes-256-ccm - $ sudo chown -R vagrant: /zfs_test/bbb $ cd /zfs_test/bbb && git clone ... $ sudo zfs list NAME USED AVAIL REFER MOUNTPOINT zfs_test 94.6M 265M 25K /zfs_test zfs_test/aaa 48.9M 265M 48.9M /zfs_test/aaa zfs_test/bbb 45.5M 265M 45.5M /zfs_test/bbb
We can now unmount zfs_test/bbb
and try to mount it again without a
key, it should not be possible:
$ sudo zfs unmount zfs_test/bbb $ sudo zfs unload-key zfs_test/bbb $ sudo zfs mount zfs_test/bbb cannot mount '/zfs_test/bbb': encryption key not loaded
Two ways to solve this: pass the -l
argument to mount
or load the
key beforehand. By passing the -l
argument, you can keep the key in
a secure space (for instance, in a usb drive while booting) and it
will use the property keylocation
that was specified when creating
the dataset to find the key and load it. If the key type is
passphrase
, it will prompt for the key at this point. The other
solution is to use the zfs load-key
command to load the key and then
attempt to mount the volume. The key needs to be loaded if you want to
access the filesystem.