Solaris Operating System
 
Oracle Key Manager
 

PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
 

In this Document

Goal

Solution

Created from <SR 3-11037769201>

Applies to:

Goal

In an Oracle Key Manager and encrypted ZFS filesystem configuration, a filesystem will not be automatically mounted after exporting and importing onto another node. Also, when attempting to manually mount the zfs filesystem on the second node, it will prompt for the passphrase.

Recreated the issue:

1. Created the zpool_test/encryption_test filesystem on Server A.
# sudo zfs create -o encryption=aes-256-ccm -o keysource="raw,pkcs11:token=KMS;object=zfscrypto_key_256" zpool_test/encryption_test
2. The filesystem was mounted automatically on Server A.
3. Failed over (zfs export / import) to Server B.
4. The file system would not mount automatically. It would prompt for the passphrase.
 

Solution

This is expected behavior and how ZFS was designed to work with PKCS#11. The man page for zfs_encrypt describes some use cases for saving the PIN in a file and specifies that for PKCS#11, you specify a URI. On S12, there is a pinfile attribute described in the man page for pkcs11_parse_uri. This is not documented on S11, however, it has been verified that it is in the source code and works.

So, customers can save the PIN to a secure file location on each node and then add that to the keysource property. For example:

You may need to modify the permissions on the file depending on how you are importing and exporting the zfs pool.

Then, you can import/export pool from any node which has the password in the pinfile, /root/okmpin, without having to remount the filesystem manually.

They will need to make this change for every encrypted filesystem.
 

This solution has no attachment