Changing ZFS key encryption to passphrase

neofusion

Contributor
Joined
Apr 2, 2022
Messages
159
oh i see, appreciate your reply.

Maybe one more question...
in case i passphrase protect main pool, and then create dataset inside of it with no encryption .. whats the point of such a setup?

Until you Unlock main pool, u still wont be able to use any dataset (wether encrypted / or not) inside of it?

thanks
You're correct, there's no point in such a setup. The "unencrypted" dataset would still be inaccessable behind the encrypted pool until you unlocked it.

I glossed over that when I wrote "no, passphrase or key-based encryption". Obviously, if the pool is key encrypted and you have a dataset in the pool that you have chosen to not encrypt, you would still not be able to access the unencrypted dataset if you happened to lose your key.

Edit: In fact, I just noticed you do not appear to be able to set a dataset to have no encryption at all, if the pool is encrypted.
 

eewiz

Explorer
Joined
Oct 14, 2021
Messages
50
Its been a while since the last post to this thread but I do have some answers.
First, the system dataset cannot be passphrase encrypted.
If the system knew the passphrase then the passphrase would have to be stored on the hard drive.
If you want a passphrase encrypted system so the system is protected against physical loss.

An example:
Pools.jpg


Create an ordinary empty pool.
Create another data set in the empty pool.
In this example it's eds for encrypted data set.
When creating this data set, select that it should be passphrase encrypted.
The eds data set contains most other data sets.
All of the children of eds are configured to inherit eds's properties including passphrase encryption.
Enter the passphrase once to decrypt eds and all of it's children are decrypted automatically.
The iocage, syslog and vm data sets are outside of eds (i.e. not encrypted).
The iocage could be inside of eds because all jails are configured to start manually.
Mainly because a jail's host program needs data from eds so there is no use to automatically start a jail.
In general, start the machine, decrypt eds, start the jails.
Syslog can't be encrypted so it sits beside eds in the unencrypted pool.
The pool lock symbol means that pool cannot be locked, it holds the system data set.
The eds lock symbol means that it can be locked and is currently in an unlocked state.
 
Top