I'm currently playing around and testing ZFS and I really like it. Now I am looking for the best way to use it as a replacement for my standard setup with luks-based full disk encryption.
How is the concept of encryption in ZFS, do I encrypt a whole pool or just individual datasets? My idea is to boot, enter a passphrase and the rest as usual. I do not want to enter a passphrase for every dataset in my pool, so is it possible?
I already tried using a ZFS pool inside a luks full disk encryption container, it works, but I guess this will be way less performant than using ZFS directly.
I'm using Arch Linux with the "Stable" kernel and an NVME SSD. Thanks for clarification and recommended setups!
Oh, one more: I read that you cannot encrypt existing datasets or pools, is that still the case?
Best Answer
Encryption was added to ZFS On Linux with the release of version 0.8. So you need at least that version.
In ZFS, encryption is on a per-dataset basis, not on a pool - but, as with most things in ZFS, a dataset can inherit encryption properties from its parent (or from a defined
encryptionroot
instead of the parent).Setting encryption on a dataset in ZFS will not automatically encrypt any data already in it. As with enabling compression (or changing the compression type), only new data will be encrypted.
to encrypt existing data, you can
rsync
orzfs send
it to another dataset with encryption enabled, and then replace the old dataset with the new encrypted one. This may require the system to be in single-user mode (or, at least, to temporarily shut down any programs which may write to, or have files open on, the old dataset)I don't use encryption on any of my zpools, so that's about all I know about it. I'd strongly advise doing more research and reading the archives of the ZOL mailing lists and search for encryption related issues on the ZOL github repo.
From the Encryption section of
man zfs
: