The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

Playing With ZFS (on Linux) Encryption - This is my space

Ok, now we're ready to finally create an encrypted dataset. For the encryption key, you have different options. From the man-page:

keyformat=raw | hex | passphrase

	Controls what format the user's encryption key will be provided as. This property is only set when the dataset is encrypted.

	Raw keys and hex keys must be 32 bytes long (regardless of the chosen encryption suite) and must be randomly generated. Passphrases must be between 8 and  64  bytes
	long  and  will  be processed through PBKDF2 before being used (see the pbkdf2iters property). Even though the encryption suite cannot be changed after dataset cre
	ation, the keyformat can be with zfs change-key.

For this example, we'll use a random file of 32 bytes long:

$ dd if=/dev/urandom of=zfs.key.raw bs=1 count=32
32+0 records in
32+0 records out
32 bytes copied, 0.000479432 s, 66.7 kB/s
$ hexdump -C zfs.key.raw 
00000000  44 88 d2 a7 fd 44 5a 09  f6 5b bc 5b 67 b4 43 52  |D....DZ..[.[g.CR|
00000010  85 a5 c7 59 20 fc 34 bc  49 2b d9 65 8c e4 d9 5b  |...Y .4.I+.e...[|

Now that we have the key, we can create our new shiny encrypted dataset.

$ sudo zfs create \
      -o compression=on \
      -o encryption=on \
      -o keyformat=raw \
      -o keylocation=file:///home/vagrant/zfs.key.raw \
$ sudo zfs list
zfs_test      50.4M   310M    25K  /zfs_test
zfs_test/aaa  48.9M   310M  48.9M  /zfs_test/aaa
zfs_test/bbb  1.33M   310M  1.33M  /zfs_test/bbb
$ sudo zfs get encryption zfs_test/aaa
zfs_test/aaa  encryption  off          default
$ sudo zfs get encryption zfs_test/bbb
zfs_test/bbb  encryption  aes-256-ccm  -
$ sudo chown -R vagrant: /zfs_test/bbb
$ cd /zfs_test/bbb && git clone ...
$ sudo zfs list
zfs_test      94.6M   265M    25K  /zfs_test
zfs_test/aaa  48.9M   265M  48.9M  /zfs_test/aaa
zfs_test/bbb  45.5M   265M  45.5M  /zfs_test/bbb

We can now unmount zfs_test/bbb and try to mount it again without a key, it should not be possible:

$ sudo zfs unmount zfs_test/bbb
$ sudo zfs unload-key zfs_test/bbb
$ sudo zfs mount zfs_test/bbb
cannot mount '/zfs_test/bbb': encryption key not loaded

Two ways to solve this: pass the -l argument to mount or load the key beforehand. By passing the -l argument, you can keep the key in a secure space (for instance, in a usb drive while booting) and it will use the property keylocation that was specified when creating the dataset to find the key and load it. If the key type is passphrase, it will prompt for the key at this point. The other solution is to use the zfs load-key command to load the key and then attempt to mount the volume. The key needs to be loaded if you want to access the filesystem.

Continue reading on