Solaris: ZFS encryption with deduplication and compression

0

In the wake of the current Truecrypt FUD.

It seems not too widely known that you can encrypt your data with zfs for quite some while.

And it also works along with compression and deduplication.

However this applies only to ZFS zpool version 30 onwards (introduced with Solaris 11) while zfs on Linux currently still runs on zpool version 28. So its not running there.

To read a bit in detail on how it works you will find here a few interesting posts.

How to Manage ZFS Data Encryption
Introducing ZFS Crypto in Oracle Solaris 11 Express
Having my secured cake and Cloning it too (aka Encryption + Dedup with ZFS)

The encryption options are:
aes-128-ccm (default)
aes-192-ccm
aes-256-ccm

aes-128-gcm
aes-192-gcm
aes-256-gcm

Only CCM supports encryption along with compression and deduplication so I ditch the GCM and go for (putting my weak half torn tinfoil hat on) aes-256-ccm.

I’ll create a new Filesystem within the existing pool.

zfs create -o compression=on -o encryption=aes-256-ccm -o dedup=on zpool/encrypted

In this example I will provide a passphrase which I will have to store myself and will have to provide when mounting the ZFS.

There is a way to handle the encryption keys which is described here How to Manage ZFS Data Encryption.

Leave a Reply