# FreeBSD 8.3 ZFS encryption property



## ShyRain (Sep 3, 2013)

Hi, 

I want to encrypt some disk on my server with ZFS' encryption property but it is not available. Is there anybody who has got any experience with this?

http://docs.oracle.com/cd/E23824_01/html/821-1448/gkkih.html#scrolltoc
http://www.oracle.com/technetwork/articles/servers-storage-admin/manage-zfs-encryption-1715034.html

These are good explanations but I got an error and the output shows all properties;

```
[root@HP ~]# zpool status
  pool: output
 state: ONLINE
  scan: none requested
config:

	NAME        STATE     READ WRITE CKSUM
	output      ONLINE       0     0     0
	  ad0s1e    ONLINE       0     0     0

errors: No known data errors
[root@HP ~]# zfs create -o encryption=on output/home
cannot create 'output/home': invalid property 'encryption'
[root@HP ~]# zfs get encryption
bad property list: invalid property 'encryption'
usage:
	get [-rHp] [-d max] [-o "all" | field[,...]] [-t type[,...]] [-s source[,...]]
	    <"all" | property[,...]> [filesystem|volume|snapshot] ...

The following properties are supported:

	PROPERTY       EDIT  INHERIT   VALUES

	available        NO       NO   <size>
	clones           NO       NO   <dataset>[,...]
	compressratio    NO       NO   <1.00x or higher if compressed>
	creation         NO       NO   <date>
	defer_destroy    NO       NO   yes | no
	mounted          NO       NO   yes | no
	origin           NO       NO   <snapshot>
	refcompressratio  NO       NO   <1.00x or higher if compressed>
	referenced       NO       NO   <size>
	type             NO       NO   filesystem | volume | snapshot
	used             NO       NO   <size>
	usedbychildren   NO       NO   <size>
	usedbydataset    NO       NO   <size>
	usedbyrefreservation  NO       NO   <size>
	usedbysnapshots  NO       NO   <size>
	userrefs         NO       NO   <count>
	written          NO       NO   <size>
	aclinherit      YES      YES   discard | noallow | restricted | passthrough | passthrough-x
	aclmode         YES      YES   discard | groupmask | passthrough | restricted
	atime           YES      YES   on | off
	canmount        YES       NO   on | off | noauto
	casesensitivity  NO      YES   sensitive | insensitive | mixed
	checksum        YES      YES   on | off | fletcher2 | fletcher4 | sha256
	compression     YES      YES   on | off | lzjb | gzip | gzip-[1-9] | zle
	copies          YES      YES   1 | 2 | 3
	dedup           YES      YES   on | off | verify | sha256[,verify]
	devices         YES      YES   on | off
	exec            YES      YES   on | off
	jailed          YES      YES   on | off
	logbias         YES      YES   latency | throughput
	mlslabel        YES      YES   <sensitivity label>
	mountpoint      YES      YES   <path> | legacy | none
	nbmand          YES      YES   on | off
	normalization    NO      YES   none | formC | formD | formKC | formKD
	primarycache    YES      YES   all | none | metadata
	quota           YES       NO   <size> | none
	readonly        YES      YES   on | off
	recordsize      YES      YES   512 to 128k, power of 2
	refquota        YES       NO   <size> | none
	refreservation  YES       NO   <size> | none
	reservation     YES       NO   <size> | none
	secondarycache  YES      YES   all | none | metadata
	setuid          YES      YES   on | off
	sharenfs        YES      YES   on | off | share(1M) options
	sharesmb        YES      YES   on | off | sharemgr(1M) options
	snapdir         YES      YES   hidden | visible
	sync            YES      YES   standard | always | disabled
	utf8only         NO      YES   on | off
	version         YES       NO   1 | 2 | 3 | 4 | 5 | current
	volblocksize     NO      YES   512 to 128k, power of 2
	volsize         YES       NO   <size>
	vscan           YES      YES   on | off
	xattr           YES      YES   on | off
	userused@...     NO       NO   <size>
	groupused@...    NO       NO   <size>
	userquota@...   YES       NO   <size> | none
	groupquota@...  YES       NO   <size> | none
	written@<snap>   NO       NO   <size>

Sizes are specified in bytes with standard units such as K, M, G, etc.

User-defined properties can be specified by using a name containing a colon (:).

The {user|group}{used|quota}@ properties must be appended with
a user or group specifier of one of these forms:
    POSIX name      (eg: "matt")
    POSIX id        (eg: "126829")
    SMB name@domain (eg: "matt@sun")
    SMB SID         (eg: "S-1-234-567-89")
[root@HP ~]#
```

How can I use or add the encryption property to FreeBsd FreeBSD 8.3?


----------



## usdmatt (Sep 3, 2013)

Only the Solaris version of ZFS supports the encryption property. It was added by Oracle after they killed off OpenSolaris and moved development in-house.

On FreeBSD your only real option is geli(8). You can either encrypt the entire disk (or disks), giving you disk.eli devices which you then build the pool out of, or if you only want some data encrypted, you can create ZVOLs for your encrypted data, encrypt them with geli(8) and format the resulting device with UFS.

You could create a single ZVOL for encrypted data, encrypt that and make a new pool out of it, then create ZFS file systems on top, but I'm not sure how wise running ZFS on top on ZFS is.

The open source version of ZFS now has a system called feature flags which allows third parties (Mainly Delphix and Illumos at the moment by the look of it) to create their own features for ZFS, whilst maintaining compatibility with each other. I'm just hoping someone decides to implement an encryption feature as it would be very useful.


----------



## J65nko (Sep 3, 2013)

See 3.3. Road Warrior Laptop for an example of an encrypted single disk ZFS pool.


----------



## ShyRain (Sep 3, 2013)

Yes, you are right. I find this explanation and also correct;


```
ZFSv28 is the latest opensource version of ZFS.

ZFSv30 or ZFSv31 include encryption support, and are only available in Solaris 11. None of the ZFS bits have been opensourced. Thus, there's nothing "to port".
```

I will try GELI + ZFS*.* *T*hanks a lot.


----------

