Skip to main content

ZFS Encryption

This page will describe how I've encrypted my volumes.

Decisions
  1. While encrypting the pool volume is possible, I decided to go with a sub-volume, just in case I need to add un-encrypted data later
  2. The options for encryption keys passphrase, raw key, and hex key. I'll be using a hex key for ease of backup in my password database.
  1. ZFS - ArchWiki
  2. Performance tuning - OpenZFS
Creating the Volume
  1. Generate the key
mkdir /etc/zfs/keys
chmod 700 /etc/zfs/keys
openssl rand -hex -out /etc/zfs/keys/datasetname 32
chmod 700 /etc/zfs/keys/datasetname
  1. Create the pool, and subsequent dataset
zfs create -o encryption=aes-256-gcm -o keyformat=hex -o keylocation=file:///etc/zfs/keys/datasetname poolname/datasetname