ZFS dataset encryption
Category : How-to
ZFS datasets support a host of features to help you manage your storage mounts as effectively as possible. Dataset encryption was added to ZFS in version 30 and can be enabled on a ZFS dataset during dataset creation. As ZFS on Linux in behind the official Solaris release, encryption is not available. ZFS on Linux is currently only at version 28.
You cannot encrypt an existing dataset. You would have to create a new, encrypted dataset, and migrate your data.
To create a dataset volume with encryption, use the following command. Replace [MOUNT POINT] with the location of where to mount the encrypted volume, [ZPOOL] with the name of the existing pool to use and [DATASET NAME] with the name to call the new encrypted dataset.
zfs create -o mountpoint=[MOUNT POINT] [ZPOOL]/[DATASET NAME]
zfs create -o encryption=on mountpoint=/mnt/homes datastore/homes
Now, you will be asked for a passphrase to use. Enter a passphrase, and then confirm it by typing it a second time. Your encrypted dataset will now be created.
Enter passphrase for 'datastore/homes': xxxxxxxxxxxxxxxxx Enter again: xxxxxxxxxxxxxxxxx
Finally, check the dataset was created and encrypted:
zfs get encryption datastore/homes NAME PROPERTY VALUE SOURCE datastore/homes encryption on local