AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Openzfs encryption4/25/2023 This leads to one step that can be confusing: when unlocking the disk (e.g., on startup), the "bug" will make OS X believe the disk wasn't unlocked, and thus "wiggle," presenting the prompt again.Īssuming you entered your password correctly, the encrypted volume should now be unlocked, despite the misleading wiggle, and you can safely close the dialog box by clicking "Cancel." You'll know for sure the volume is unlocked when you proceed to import your pool, or you can check directly by looking for Encryption Status: Unlocked in the output of diskutil coreStorage list. You may receive a pop-up claiming the disk isn't readable by this computer. Then use the Core Storage Logical Volume as a device in your zpool by supplying it to "zpool create," "zpool add," "zpool attach," etc.īuild ZFS from source, or wait for the next installer, newer than 1.2.0 (for explanation, see original IRC chat). The overall procedure is, as follows: convert an empty HFS+ partition to use Core Storage and apply Core Storage encryption. ![]() This is the OS X analogue of the following block-level encryption systems on other operating systems that support ZFS: More importantly, it can be made read-only, whereas it appears that the encrypted parent dataset cannot be read-only (probably so that the key can be stored locally in the parent dataset).Īdditional helpful information about zfs encryption can be found in the How-To: Using ZFS Encryption at Rest in OpenZFS (ZFS on Linux, ZFS on FreeBSD, …).Īlthough the upstream OpenZFS project lists platform-agnostic encryption support at the ZFS dataset level as a possible future enhancement, OS X already offers a feature called FileVault 2, which provides built-in support for XTS-AES 128 encryption at the block level as part of Core Storage volume management. To make this work with encryption, place the destination dataset as a child dataset of the encrypted dataset in the zpool of the portable drive because it is a child of the encrypted dataset it, too, will be encrypted. In this scenario it is helpful if the destination dataset on the portable drive is read only, since then there is no need to roll back the destination dataset on the fly to the last valid snapshot. Typically the user will create snapshots on the source drive in the computer, and then transmit them to the portable drive using zfs send and receive. One common use case for an encrypted volume is a portable backup drive. # security find-generic-password -a -w | zfs mount -l If the encryption passphrase is stored in the Keychain as a generic password under the name of the dataset, security(1) may be used to retrieve the passphrase as follows: This will prompt for the encryption passphrase for this zfs dataset and mount the encrypted dataset it will not mount any child datasets of the encrypted dataset, but they will be accessible as subdirectories of the encrypted dataset. Other options for the location of the encryption key and its format can be found in the zfs(1M) manpage.Īn encrypted zfs dataset may be mounted as follows: ![]() This will prompt for the encryption passphrase for this zfs dataset. ![]() # zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase On an zpool that supports encryption, an encrypted zfs dataset may be created as follows: On a zpool that supports encryption, encryption may be enabled as follows:
0 Comments
Read More
Leave a Reply. |