| Asset ID: |
1-71-2043971.1 |
| Update Date: | 2016-01-13 |
| Keywords: | |
Solution Type
Technical Instruction Sure
Solution
2043971.1
:
Oracle ZFS Storage Appliance: How To Use Encryption To Safely Secure Data, Ship Disks Or Appliance Without The Key, Then Restore The Key
| Related Items |
- Oracle ZFS Storage ZS3-2
- Oracle ZFS Storage ZS3-4
|
| Related Categories |
- PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
|
In this Document
Applies to:
Oracle ZFS Storage ZS3-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-2 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)
Goal
This is an example of setting up an encryption key, creating some data, deleting the key, verifying the data is not available, re-creating the key, then checking the data again
This process can be used to ship a disk tray with a pool, or a whole appliance, while the data is unreadable because the key is missing
Solution
NOTE: For this example below zfssa: is the array and the
nfsclient is a NFS client with appropriate network access to this zfssa: array.
List the current keys
zfssa:shares encryption local keys> list
Keys:
NAME CREATED CIPHER KEYNAME
key-000 2015-1-30 19:53:49 AES test1
key-001 2015-5-6 21:10:05 AES test2
Create a new key
zfssa:shares encryption local keys> create
zfssa:shares encryption local key-002 (uncommitted)> show
Properties:
cipher = AES
key =
keyname = (unset)
zfssa:shares encryption local key-002 (uncommitted)> set keyname=jeff
keyname = jeff (uncommitted)
zfssa:shares encryption local key-002 (uncommitted)> set key=jeff
error: invalid key "jeff"; Key is too short, must be 64 characters of hex (256 bits)
zfssa:shares encryption local key-002 (uncommitted)> set key=0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
key = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff (uncommitted)
zfssa:shares encryption local key-002 (uncommitted)> commit
zfssa:shares encryption local keys> show
Keys:
NAME CREATED CIPHER KEYNAME
key-000 2015-1-30 19:53:49 AES test1
key-001 2015-5-6 21:10:05 AES test2
key-002 2015-8-13 15:57:53 AES jeff
Create a project and share with the new encryption key
zfssa:> shares project jeff
zfssa:shares jeff (uncommitted)> commit
zfssa:shares> select jeff
zfssa:shares jeff> filesystem cr1
zfssa:shares jeff/cr1 (uncommitted)> show
Properties:
[...lots of lines deleted for brevity...]
mountpoint = /export/cr1 (inherited)
keyname = (default)
keystore = (default)
zfssa:shares jeff/cr1 (uncommitted)> set encryption=aes-256-ccm
encryption = aes-256-ccm (uncommitted)
zfssa:shares jeff/cr1 (uncommitted)> set keystore=
LOCAL OKM
zfssa:shares jeff/cr1 (uncommitted)> set keystore=LOCAL
keystore = LOCAL (uncommitted)
zfssa:shares jeff/cr1 (uncommitted)> set keyname=jeff
keyname = jeff (uncommitted)
zfssa:shares jeff/cr1 (uncommitted)> commit
Create some data from the client side
nfsclient# mount zfssa:/export/cr1 /mnt
nfsclient# ls -l /mnt/cr1
nfsclient# echo testing > /mnt/cr1/testing.txt
nfsclient# echo there > /mnt/cr1/hi
nfsclient# ls -l /mnt/cr1
total 5
-rw-r--r-- 1 root root 6 Aug 13 16:01 hi
-rw-r--r-- 1 root root 8 Aug 13 16:00 testing.txt
nfsclient# mkdir -p /mnt/cr1/a/b/c/d
nfsclient# echo here > /mnt/cr1/a/b/c/d/down
Display the key so it can be copied for later use
Just copy and paste the info to a safe location where you won't lose it
zfssa:> shares encryption local keys list
NAME CREATED CIPHER KEYNAME
key-000 2015-1-30 19:53:49 AES test1
key-001 2015-5-6 21:10:05 AES test2
key-002 2015-8-13 15:57:53 AES jeff
zfssa:> shares encryption local keys select keyname=jeff show
Properties:
cipher = AES
key = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
keyname = jeff
Destroy the key
zfssa:> shares encryption local keys destroy keyname=jeff
This key has the following dependent shares:
pool-0/local/jeff/cr1
Destroying this key will render the data inaccessible. Are you sure? (Y/N) y
Verify the data is no longer accessible
nfsclient# ls -l /mnt/cr1
total 0
nfsclient# ls -l /mnt/cr1/a/b/c
/mnt/cr1/a/b/c: No such file or directory
Check the share settings
zfssa:> shares select jeff select cr1 show
Properties:
[...lots of lines deleted for brevity...]
mountpoint = /export/cr1 (inherited)
encryption = aes-256-ccm
keystatus = unavailable
canonical_name = pool-0/local/jeff/cr1
keyname = jeff
keystore = LOCAL
Errors:
key_unavailable
The system can be shipped at this point and the data will be unreadable without the key.
Re-create the key
zfssa:> shares encryption local keys create
zfssa:shares encryption local key-002 (uncommitted)> set keyname=jeff
keyname = jeff (uncommitted)
zfssa:shares encryption local key-002 (uncommitted)> set key=0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
key = 0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff (uncommitted)
zfssa:shares encryption local key-002 (uncommitted)> commit
Existing shares reference the key jeff from the LOCAL keystore.
Are you sure? (Y/N) y
Check the share settings
zfssa:> shares select jeff select cr1 get canonical_name mountpoint keystatus keystore keyname
canonical_name = pool-0/local/jeff/cr1
mountpoint = /export/cr1 (inherited)
keystatus = available
keystore = LOCAL
keyname = jeff
Check the data availability
nfsclient# ls -lR /mnt/cr1
/mnt/cr1:
total 13
drwxr-xr-x 3 root root 3 Aug 13 16:01 a
-rw-r--r-- 1 root root 6 Aug 13 16:01 hi
-rw-r--r-- 1 root root 8 Aug 13 16:00 testing.txt
/mnt/cr1/a:
total 5
drwxr-xr-x 3 root root 3 Aug 13 16:01 b
/mnt/cr1/a/b:
total 5
drwxr-xr-x 3 root root 3 Aug 13 16:01 c
/mnt/cr1/a/b/c:
total 5
drwxr-xr-x 2 root root 3 Aug 13 16:01 d
/mnt/cr1/a/b/c/d:
total 4
-rw-r--r-- 1 root root 5 Aug 13 16:01 down
nfsclient# cat /mnt/cr1/a/b/c/d/down
here
Done
Attachments
This solution has no attachment
