zfs encryption at rest

zfs is an amazing file system. Running it on your Mac makes sense because it has a lot of features and is very robust. Even compared to the new apfs.

I’m using OpenZFSonMacOS.

The recently added encryption at rest is a great alternative to encrypted .dmg files on top of your disk. I’ve such a .dmg file once because of a read error on my drive.

Since it does not come with a colorful gui, you have to use the terminal. There’s a bunch of options which can be intimidating, but the defaults seem reasonable and getting started is easier then expected. Let’s assume you already have an unencrypted file system named tank and you want to create an encrypted dataset we want to call secret. User alice can mount it without having sudo privileges.

The encrypted filesystem is a dataset on top of your zfs file system.

sudo zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase tank/secret

The first password prompt is most likely for your user-password to get the sudo-privileges. Then you assign a passphrase

Now we allow the user alice to mount it and load the key. When the dataset is mounted she (and she alone) can read and write.

sudo zfs allow alice mount,load-key tank/secret
sudo chown alice /Volumes/tank/secret
sudo chmod go-rwx /Volumes/tank/secret

Now, when alice wants to open the encrypted files, all she has to do is type in these commands

zfs load-key tank/secret
zfs mount tank/secret

After unmounting it, she should make sure to unload the key from memory.

zfs umount tank/secret
zfs unload-key tank/secret

That’s it.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.