| Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback |
| Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition | ||
|
|
||
 |
||||||||||||||||||
Solution Type Technical Instruction Sure Solution 2294174.1 : Oracle ZFS Storage Appliance: Configuring Encryption with LOCAL keys and Troubleshooting Tips.
This document will describe how to use local keys to encrypt shares on your ZFSSA. How to backup your keys and various trouble shooting techniques related to local encryption keys. In this Document
Applies to:Integrated Software for ZFS ZS3-x Arrays - Version All Versions to All Versions [Release All Releases]Integrated Software for ZFS ZS4-x Arrays - Version All Versions to All Versions [Release All Releases] Integrated Software for ZFS 7xx0 Arrays - Version All Versions to All Versions [Release All Releases] Integrated Software for ZFS ZS5-x Arrays - Version All Versions to All Versions [Release All Releases] 7000 Appliance OS (Fishworks) GoalAssist in configuration of ZFSSA for using local encryption keys.
SolutionTo configure the ZFS appliance you can use either the BUI or CLIFrom the CLI go to: zs4-4:shares encryption local> show
Properties: master_passphrase = Children: You must set a master pass phrase 8 characters or longer. The master passphrase is used to generate an AES key for encrypting the keys stored in the LOCAL keystore. The PKCS#5 PBKDF algorithm is used to generate the key, and is randomly generated and managed by the system. You will see the following error when trying to create keys with out the master_passphrase set. error: keystore local is not configured
zs4-4:shares encryption local> set master_passphrase
Enter new master_passphrase: Re-enter new master_passphrase: master_passphrase = ********* (uncommitted) zs4-4:shares encryption local> commit zs4-4:shares encryption local> To set the Master PassPhrase from the BUI click on Shares -> encryption -> Local Fill out the Master Passphrase fields and click apply button.
Now you local keystore is configured and you can create keys. From the CLI go to shares -> encryption -> local -> keys -> create From there you set the keyname property and you can leave the key property blank and a new key will be created. zs4-4:shares encryption local keys> create
zs4-4:shares encryption local key-000 (uncommitted)> show Properties: cipher = AES key = keyname = (unset) zs4-4:shares encryption local key-000 (uncommitted)> NAME CREATED CIPHER KEYNAME zs4-4-brm06-a-0:shares encryption local keys>
To create a key in the BUI click on Shares then encryption then local then click the + sign to add a new key. Fill out the key name and leave the generate key box checked.
You will see your new key created and the creation date of the key.
You can now create a share using your new key to encrypt that share. ZS4-4:> shares select <PROJECT>
ZS4-4:> filesystem <NAME> ZS4-4:> set encryption=aes-256-gcm ZS4-4:> set keystore=LOCAL ZF4-4:> set keyname=<KEY-NAME> Below steps are optional and should be set to values per your requirements. ZF4-4:> set share<nfs|smb|dav|ftp|sftp|tftp>=rw/ro.... ZF4-4:> set root_permissions=777..... ZF4-4:> commit
To ensure encrypted shares and projects are accessible, backup your appliance configurations and LOCAL keystore key values. If a key or keys become unavailable any shares or projects that use those keys become inaccessible. If a project's key is unavailable, new shares cannot be created in that project. Keys can become unavailable in the following ways:
Deleting an encryption key is a fast and effective way to make large amounts of data inaccessible.
Keys can be deleted even if they are in use. If the key is in use, a warning is given and confirmation is required. All shares or projects using that key are unshared and can no longer be accessed by clients. Although deleting a LOCAL key renders shares inaccessible, the shares can be accessible again by recreating the same LOCAL key. If you might use a LOCAL key again to access its associated shares, back up the keyname and value before deleting the key. Then you can later perform a restore of that key.
You will want to back up any keys you have created and used to encrypt shares/projects with. From the CLI go to shares -> encryption -> local -> keys and select your key and then show. Use what ever method needed to copy the below 256 Bit key to a safe place. zs4-4:> shares encryption local keys
zs4-4:shares encryption local keys> show Keys: NAME CREATED CIPHER KEYNAME zs4-4:shares encryption local keys> select key-000 zs4-4:shares encryption local key-000>
From the BUI click on Shares then ecryption then local the click the Pencil icon on your key line. Use what ever method needed to copy the below 256 Bit key to a safe place.
To restore a LOCAL key that was deleted, create a new LOCAL key with the same keyname and value as the deleted key. You must have first recorded, or backed up, this information before the key was deleted. Now about the stash object: There is a stash object for OKM encryption, it is located at /var/ak/stash/com/sun/ak/xmlrpc/keystore/ You will need to determine which is your OKM stash as SFTP, Local and other encryption keystores are here. You can use the down and dirty aknv -r like below to quickly find the OKM stash object. # aknv -r */obj | grep LOCAL
From the raw command line you can view the key and master_passphrase with the following commands: zs4-4:raw> keystore.getKeys('LOCAL')
See the following document for additional information on this subject - Doc ID 1955509.1 (Encryption with the Oracle ZFS Storage Appliance)
References<NOTE:1955509.1> - Encryption with the Oracle ZFS Storage Appliance<NOTE:2286789.1> - Oracle ZFS Storage Appliance: Configuring Oracle Key Manager (OKM) and Troubleshooting Tips. Attachments This solution has no attachment |
||||||||||||||||||
|
||||||||||||||||||
