Chiffrement ZFS

Création volume chiffré

• Via mot de passe

  zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase zdata/data_encrypted
  

• Via clé HEX

  openssl rand -hex 32 > /etc/keys/keyfile
  zfs create -o encryption=on -o keylocation=file:///etc/keys/keyfile -o keyformat=hex zdata/data_encrypted
  

• Via clé RAW

  truncate -s 32 /etc/keys/keyfile
  zfs create -o encryption=on -o keylocation=file:///etc/keys/keyfile -o keyformat=raw zdata/data_encrypted
  

Affichage des informations du volume

root@test-freebsd:~ # zfs get name,encryption,keylocation,keyformat zdata/encrypted
NAME                  PROPERTY     VALUE            SOURCE
zdata/data_encrypted  name         zdata/encrypted  -
zdata/data_encrypted  encryption   aes-256-gcm      -
zdata/data_encrypted  keylocation  prompt           local
zdata/data_encrypted  keyformat    passphrase       -

Démontage

zfs umount zdata/data_encrypted

Déchargement clé de chiffrement

zfs unload-key zdata/data_encrypted

Chargement clé de chiffrement

zfs load-key zdata/data_encrypted

Lister l'état des volumes

root@test-freebsd:~ # zfs list -o name,mounted
NAME                                            MOUNTED
zdata                                           no
zdata/data_encrypted                                 no
zroot                                           yes

Montage

zfs mount zdata/data_encrypted