Darren J Moffat
2010-Nov-15 16:41 UTC
ZFS Crypto now available in Oracle Solaris 11 Express
Today Oracle Solaris 11 Express was released and is available for download[1], this release includes on disk encryption support for ZFS. Using ZFS encryption support can be as easy as this: # zfs create -o encryption=on tank/darren Enter passphrase for ''tank/darren'': Enter again: # Continued at: http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset http://blogs.sun.com/darren/entry/compress_encrypt_checksum_deduplicate_with [1] http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html -- Darren J Moffat
Troels Nørgaard Nielsen
2010-Nov-18 12:49 UTC
ZFS Crypto now available in Oracle Solaris 11 Express
Great work! Lovely to finally see it integrated :) Could you possible give your recommendation for moving existing filesystems to encrypted? Reading from the zfs man page, it seems zfs recv can not set encryption=on. So I tried to create the recv filesystem with encryption first and then use zfs recv -F to override. But then ran into this one: tnn at sol11:~# zfs upgrade -a 33 filesystems upgraded 2 filesystems already at this version tnn at sol11:~# zfs send rpool/export/home/tnn at pre-encryption | zfs recv -F rpool/export/home/tnn2 cannot receive new filesystem stream: pool must be upgraded to receive this stream. tnn at sol11:~# zpool upgrade rpool This system is currently running ZFS pool version 31. I would prefer not to use rsync. Best regards Troels N?rgaard Den 15/11/2010 kl. 17.41 skrev Darren J Moffat:> Today Oracle Solaris 11 Express was released and is available for download[1], this release includes on disk encryption support for ZFS. > > Using ZFS encryption support can be as easy as this: > > # zfs create -o encryption=on tank/darren > Enter passphrase for ''tank/darren'': > Enter again: > # > > Continued at: > > http://blogs.sun.com/darren/entry/introducing_zfs_crypto_in_oracle > http://blogs.sun.com/darren/entry/assued_delete_with_zfs_dataset > http://blogs.sun.com/darren/entry/compress_encrypt_checksum_deduplicate_with > > [1] http://www.oracle.com/technetwork/server-storage/solaris11/downloads/index.html > > -- > Darren J Moffat > _______________________________________________ > zfs-crypto-discuss mailing list > zfs-crypto-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-crypto-discuss-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 1926 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-crypto-discuss/attachments/20101118/057bca59/attachment.bin>
Darren J Moffat
2010-Nov-18 13:59 UTC
ZFS Crypto now available in Oracle Solaris 11 Express
On 18/11/2010 12:49, Troels N?rgaard Nielsen wrote:> Could you possible give your recommendation for moving existing filesystems to encrypted? > Reading from the zfs man page, it seems zfs recv can not set encryption=on. > > So I tried to create the recv filesystem with encryption first and then use zfs recv -F to override. > But then ran into this one: > > tnn at sol11:~# zfs upgrade -a > 33 filesystems upgraded > 2 filesystems already at this version > tnn at sol11:~# zfs send rpool/export/home/tnn at pre-encryption | zfs recv -F rpool/export/home/tnn2 > cannot receive new filesystem stream: pool must be upgraded to receive this stream. > tnn at sol11:~# zpool upgrade rpool > This system is currently running ZFS pool version 31.The error message is incorrect it should be saying that the operation isn''t supported. Due to the way that ZPL metadata (filenames, ACLs, etc) are put on disk migrating an encryption=off stream into an encryption=on dataset is difficult (but not impossible), it is particularly difficult if there are large ACLs already present. So for the present time that migration is disabled to ensure that we don''t accidentally write some of the ZPL metadata to disk in the clear when it should be encrypted. The restriction does not exist for ZVOLs only filesystems. If you don''t to use rsync then maybe cpio ? There is no method of doing it with zfs send|recv at this time. -- Darren J Moffat