zfs is an amazing file system. Running it on your Mac makes sense because it has a lot of features and is very robust. Even compared to the new apfs.
I’m using OpenZFSonMacOS.
The recently added encryption at rest is a great alternative to encrypted .dmg files on top of your disk. I’ve such a .dmg file once because of a read error on my drive.
Since it does not come with a colorful gui, you have to use the terminal. There’s a bunch of options which can be intimidating, but the defaults seem reasonable and getting started is easier then expected. Let’s assume you already have an unencrypted file system named
tank and you want to create an encrypted dataset we want to call
alice can mount it without having sudo privileges.
The encrypted filesystem is a dataset on top of your zfs file system.
sudo zfs create -o encryption=on -o keylocation=prompt -o keyformat=passphrase tank/secret
The first password prompt is most likely for your user-password to get the
sudo-privileges. Then you assign a passphrase
Now we allow the user alice to mount it and load the key. When the dataset is mounted she (and she alone) can read and write.
sudo zfs allow alice mount,load-key tank/secret
sudo chown alice /Volumes/tank/secret
sudo chmod go-rwx /Volumes/tank/secret
Now, when alice wants to open the encrypted files, all she has to do is type in these commands
zfs load-key tank/secret
zfs mount tank/secret
After unmounting it, she should make sure to unload the key from memory.
zfs umount tank/secret
zfs unload-key tank/secret