Creating encrypted Volumes on ZFS Pools
One of the most anticipated Features of ZFS is transparent Encryption. But since Oracle decided to do not make updates from Solaris 11 availible as Open Source, the Feature of on-Disk Encryption is not availible on Illumos (e.g. Open-Source) based Distributions. But there are some ways to create transparent encrypted ZPools with current avaiblibe ZFS Version using pktool, lofiadm, zfs and zpool.
lofiadm- administer files available as block devices through lofi
http://www.unix.com/man-page/opensolaris/1m/lofiadm
That means, you can use normal Files as Block Devices while adding some Features to them (e.g. compression and also encryption). The Goal of this Post is to create a transparent encrypted Volume, that uses a Key-File for deryption (that might be stored on an usb stick or will be uploaded via a Browser once to mount the device). For an easy Start, i created a Vagrant File based on OmniOS here.
If you do not know Vagrant, here is an easy Start for you:
- Get yourself a VirtualBox Version matching your Platform: https://www.virtualbox.org/wiki/Downloads
- Get yourself a Vagrant Version matching your Platform: http://www.vagrantup.com/downloads.html
- Move to the Folder where you have saved your Vagrantfile
- Start your Box (will need some time, since the OmniOS Box will needs to be downloaded first)
vagrant up
- After your box is finished, you can ssh into it with
vagrant ssh
- Have a look around:
zpool status
You will find exactly one (Root-) Pool configured in that system:
pool: rpool state: ONLINE scan: none requested config: NAME STATE READ WRITE CKSUM rpool ONLINE 0 0 0 c1d0s0 ONLINE 0 0 0
Next we want to create our encrypted Device, for that we need some “files” for using them with lofiadm. One very handy feature of ZFS is the possibility to also create Volumes (ZVols) in your ZPool.
First we need to finde out how big our Pool is:
zpool list
will give us an overview of the configured Volumes and File Systems:
NAME SIZE ALLOC FREE EXPANDSZ CAP DEDUP HEALTH ALTROOT rpool 39,8G 2,28G 37,5G - 5% 1.00x ONLINE - vagrant-priv - - - - - - FAULTED -
So we have roughly around 37G free space. For this Test we would like to create an encrypted Volume with 2G of Space.
Creating a ZVol is as easy as creating a normal ZFS Folder:
sudo zfs create -V 2G rpool/export/home/vagrant-priv
You can now see the new ZVol with the reserved size of 2G:
zfs list NAME USED AVAIL REFER MOUNTPOINT rpool 5,34G 33,8G 35,5K /rpool rpool/ROOT 1,74G 33,8G 31K legacy rpool/ROOT/omnios 1,74G 33,8G 1,46G / rpool/ROOT/omniosvar 31K 33,8G 31K legacy rpool/dump 512M 33,8G 512M - rpool/export 2,06G 33,8G 32K /export rpool/export/home 2,06G 33,8G 41K /export/home rpool/export/home/vagrant-priv 2,06G 35,9G 16K - rpool/swap 1,03G 34,8G 34,4M -
Next we need a Key for en-/de-crypting the Device. That can be done with the pktool:
> pktool genkey keystore=file outkey=lofi.key keytype=aes keylen=256 print=y < Key Value ="93af08fcfa9fc89724b5ee33dc244f219ac6ce75d73df2cb1442dc4cd12ad1c4"
We can now use this key with lofiadm to create an encrypted Device:
> sudo lofiadm -a /dev/zvol/rdsk/rpool/export/home/vagrant-priv -c aes-256-cbc -k lofi.key < /dev/lofi/1
lofi.key is the File that contains the Key for the Encryption. You can keep it in that folder or move it to another device. If you want to reactivate the device (we will see later how to do this), you will need that key file again.
/dev/lofi/1 is our encrypted Device. We can use that for creating a new (encrypted) ZPool:
sudo zpool create vagrant-priv /dev/lofi/1
You know can use that Pool as a normal ZPool (including Quotas/Compression, etc.)
> zpool status
< pool: vagrant-priv
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
vagrant-priv ONLINE 0 0 0
/dev/lofi/1 ONLINE 0 0 0
errors: No known data errors
You should change the Folder permissions of that mount-point:
sudo chown -R vagrant:other vagrant-priv
Creating some Test-Files:
cd /vagrant-priv/ mkfile 100m file2 > du -sh * < 100M file2
So what happens if we want to deactivate that Pool?
- Leave the Mount-Point:
cd /
- Deactivate the Pool:
sudo zpool export vagrant-priv
- Deactivate the Lofi Device:
sudo lofiadm -d /dev/lofi/1
That’s all. Now let’s reboot the system and let us see how we can re-attach that Pool again.
Leave the Vagrant Box:
> exit < logout < Connection to 127.0.0.1 closed.
Restart the Box:
> vagrant halt < [default] Attempting graceful shutdown of VM... > vagrant up ... < Waiting for machine to boot. This may take a few minutes... < [default] VM already provisioned. Run `vagrant provision` or use `--provision` to force it
Re-Enter the Box:
vagrant ssh
So where is our Pool?
zpool status
Only gives us the default root-Pool.
First we need to re-create our Lofi-Device:
> sudo lofiadm -a /dev/zvol/rdsk/rpool/export/home/vagrant-priv -c aes-256-cbc -k lofi.key < /dev/lofi/1
Instead of creating a new ZPool (that would delete our previous created Data), we need to import that ZPool. That’s can be done in two steps, using zpool. First we need to find our Pool:
sudo zpool import -d /dev/lofi/
That lists all ZPools, that are on Devices in that Directory. We need to find the id of “our” Pool (that needs to be done once, since that id stays the same, as long as the Pool exitsts).
...
pool: vagrant-priv
id: 1140053612317909839
state: ONLINE
action: The pool can be imported using its name or numeric identifier.
config:
vagrant-priv ONLINE
/dev/lofi/1 ONLINE
...
We can now import that ZPool using the id 1140053612317909839:
sudo zpool import -d /dev/lofi/ 1140053612317909839
After that we can again access our Pool as usual:
> cd /vagrant-priv/ > du -sh * < 100M file2
