A quick-start guide to OpenZFS native encryption - Ars Technica
One of the many features OpenZFS brings to the table is ZFS native encryption.First introduced in OpenZFS 0.8, native encryption allows a system administrator to transparently encrypt data at-rest within ZFS itself.
There's more to OpenZFS native encryption than the algorithms used, though—so we'll try to give you a brief but solid grounding in the sysadmin's-eye perspective on the "why" and "what" as well as the simple "how.".A clever sysadmin who wants to provide at-rest encryption doesn't actually need OpenZFS native encryption, obviously.Unfortunately, encryption-atop-ZFS introduces a new problem—it effectively nerfs OpenZFS inline compression, since encrypted data is generally incompressible.
OpenZFS native encryption splits the difference: it operates atop the normal ZFS storage layers and therefore doesn't nerf ZFS' own integrity guarantees.OpenZFS native encryption isn't a full-disk encryption scheme—it's enabled or disabled on a per-dataset / per-zvol basis, and it cannot be turned on for entire pools as a whole.The contents of encrypted datasets or zvols are protected from at-rest spying—but the metadata describing the datasets/zvols themselves is not.
Let's say we create an encrypted dataset named pool/encrypted, and beneath it we create several more child datasets.It's worth noting that trying to ls an encrypted dataset which doesn't have its key loaded won't necessarily produce an error:.Now that we've both loaded the necessary key and mounted the datasets, we can see our encrypted data again