Skip to main content

ZFS Encryption

This page will describe how I've encrypted my volumes.

Decisions
  1. While encrypting the pool volume is possible, I decided to go with a sub-volume, just in case I need to add un-encrypted data later
  2. The options for encryption keys passphrase, raw key, and hex key. I'll be using a hex key for ease of backup in my password database.
    ZFS - ArchWiki Performance tuning - OpenZFS
    Creating the Volume
    1. Generate the key
    mkdir /etc/zfs/keys
chmod 700 /etc/zfs/keys
openssl rand -hex -out /etc/zfs/keys/datasetname 32
chmod 700 /etc/zfs/keys/datasetname
    1. Create the pool, and subsequent dataset
    zfs create -o encryption=aes-256-gcm -o keyformat=hex -o keylocation=file:///etc/zfs/keys/datasetname poolname/datasetname
    Back to top