ZFS Encryption
This page will describe how I've encrypted my volumes.
Decisions
- While encrypting the pool volume is possible, I decided to go with a sub-volume, just in case I need to add un-encrypted data later
- The options for encryption keys passphrase, raw key, and hex key. I'll be using a hex key for ease of backup in my password database.
Creating the Volume
- Generate the key
mkdir /etc/zfs/keys
chmod 700 /etc/zfs/keys
openssl rand -hex -out /etc/zfs/keys/datasetname 32
chmod 700 /etc/zfs/keys/datasetname
- Create the pool, and subsequent dataset
zfs create -o encryption=aes-256-gcm -o keyformat=hex -o keylocation=file:///etc/zfs/keys/datasetname poolname/datasetname