X

Using Solaris and SPARC Networking and Virtualization

Using an https Keystore for ZFS Encryption


Overview


Recently I wrote about how to enable ZFS encryption for your home directory, in a way that accepts the wrapping key when first logging into the system. This works when it is your home directory. But what about other file systems or pools that you want to encrypt and you want to mount without intervention after a system reboot?

This discussion is about how to provide a wrapping key using an HTTPS service. For more details look at zfs_encrypt(1M).

As I often do, these examples use Solaris Zones. I am running Solaris 11.3 SRU 07. One Zone is the HTTPS server, and the second Zone is where I create the ZFS File Systems.

Configuring the HTTPS Service


Installing the Apache Web Server


The first step is to install the Apache web server package. Zones use the package group solaris-small-server by default, which does not include the Apache web server package.
root@myhttps:~# pkg install apache-22 
Packages to install: 7
Mediators to change: 3
Services to change: 2
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 7/7 1035/1035 9.7/9.7 28.1M/s
PHASE ITEMS
Installing new actions 1241/1241
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 3/3
root@myhttps:~#

Configuring SSL in Apache httpd.conf


I must extend the default HTTP configuration to enable the SSL service. A good configuration file is in the "sample-conf.d" directory.
root@myhttps:~# cd /etc/apache2/2.2/ 
root@myhttps:/etc/apache2/2.2# ls
conf.d envvars httpd.conf magic
mime.types original samples-conf.d
root@myhttps:/etc/apache2/2.2#

I like to save the original, especially if I want to show the differences easily. And I will append some comments to see where "ssl.conf" starts.
root@myhttps:/etc/apache2/2.2# cp -p httpd.conf Httpd.conf.orig 
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# echo "###
> ### End of Original httpd.conf
> ###
> " >> httpd.conf

root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# cat samples-conf.d/ssl.conf >> httpd.conf
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# cp -p httpd.conf Httpd.conf.ssl.orig
root@myhttps:/etc/apache2/2.2#

After modifying for my configuration here are the differences.
root@myhttps:/etc/apache2/2.2# diff httpd.conf Httpd.conf.ssl.orig  
47c47
< #Listen 80
---
> Listen 80
107c107
< ServerName 192.168.1.180
---
> ServerName 127.0.0.1
533,534c533
< #ServerName 127.0.0.1:443
< ServerName 192.168.1.180:443
---
> ServerName 127.0.0.1:443
553,554c552
< #SSLCertificateFile "/etc/apache2/2.2/server.crt"
< SSLCertificateFile "/etc/apache2/2.2/host180.crt"
---
> SSLCertificateFile "/etc/apache2/2.2/server.crt"
564,565c562
< #SSLCertificateKeyFile "/etc/apache2/2.2/server.key"
< SSLCertificateKeyFile "/etc/apache2/2.2/host180.key"
---
> SSLCertificateKeyFile "/etc/apache2/2.2/server.key"
root@myhttps:/etc/apache2/2.2#

I replaced "server." with "host180." because I want to make managing my files easier. You can leave the "server" version and update the file names below. I also turned off port 80, for http access, to prevent sending data in clear text.

Creating the Self Signed Root Certificate


First step is to create a Root Certificate. I am putting the files into the "CA.d" directory I create so I can easily see the difference between the CA files and later web server certificate(s). I am using the prefix "host180CA" to identify anything having to do the the Root Certificate.
root@myhttps:/etc/apache2/2.2# mkdir CA.d 
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# openssl genrsa -des3 -out CA.d/host180CA.key 2048
Generating RSA private key, 2048 bit long modulus
.................+++
....................................+++
e is 65537 (0x10001)
Enter pass phrase for CA.d/host180CA.key: XXX
Verifying - Enter pass phrase for CA.d/host180CA.key: XXX
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# openssl req -x509 -new -nodes -key CA.d/host180CA.key \
-sha256 -days 1024 -out CA.d/host180CA.pem

Enter pass phrase for CA.d/host180CA.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:NJ
Locality Name (eg, city) []:MyTown
Organization Name (eg, company) []:Oracle
Organizational Unit Name (eg, section) []:SE
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.180
Email Address []:steffen@steffen.steffen
root@myhttps:/etc/apache2/2.2#

Creating the Server Certificate


Now I create the certificates for this web server. I will be referencing the CA.d files from above. The server Certificates have the prefix "host180" because my IP address is 192.168.1.180. I am doing this to make it easier to recognize files.
root@myhttps:/etc/apache2/2.2# openssl genrsa -out host180.key 2048 
Generating RSA private key, 2048 bit long modulus
........................+++
...........................................+++
e is 65537 (0x10001)
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# openssl req -new -key host180.key -out host180.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:NJ
Locality Name (eg, city) []:MyHost180
Organization Name (eg, company) []:Oracle
Organizational Unit Name (eg, section) []:SEweb
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.180
Email Address []:host180@steffen.steffen
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# openssl x509 -req -in host180.csr -CA CA.d/host180CA.pem \
-CAkey CA.d/host180CA.key -CAcreateserial -out host180.crt -days 1000 -sha256

Signature ok
subject=/C=US/ST=NJ/L=MyHost180/O=Oracle/OU=SEweb/CN=192.168.1.180/emailAddress=host180@steffen.steffen
Getting CA Private Key
Enter pass phrase for CA.d/host180CA.key: XXX
root@myhttps:/etc/apache2/2.2#

Here are all the files that end up getting created.
root@myhttps:/etc/apache2/2.2# ls -l 
total 398
drwxr-xr-x 2 root root 4 Jun 8 17:33 CA.d
-rw-r--r-- 1 root root 17 Jun 8 17:39 CA.srl
drwxr-xr-x 2 root sys 4 Jun 8 17:20 conf.d
-rw-r--r-- 1 root bin 896 Jun 8 17:20 envvars
-rw-r--r-- 1 root root 1306 Jun 8 17:39 host180.crt
-rw-r--r-- 1 root root 1058 Jun 8 17:37 host180.csr
-rw-r--r-- 1 root root 1675 Jun 8 17:36 host180.key
-rw-r--r-- 1 root bin 26114 Jun 8 17:29 httpd.conf
-rw-r--r-- 1 root bin 13673 Jun 8 17:20 Httpd.conf.orig
-rw-r--r-- 1 root bin 25975 Jun 8 17:26 Httpd.conf.ssl.orig
-rw-r--r-- 1 root bin 12958 Jun 8 17:20 magic
-rw-r--r-- 1 root bin 53011 Jun 8 17:20 mime.types
drwxr-xr-x 2 root sys 3 Jun 8 17:20 original
drwxr-xr-x 2 root sys 15 Jun 8 17:20 samples-conf.d
root@myhttps:/etc/apache2/2.2# ls CA.d/
host180CA.key host180CA.pem
root@myhttps:/etc/apache2/2.2#

Creating the ZFS Encryption Wrapping Key


I need a key that ZFS will use as the wrapping key. This is a short one. You may have some mechanism to create a longer one.
root@myhttps:/etc/apache2/2.2# pktool genkey keystore=file \
outkey=/var/apache2/2.2/htdocs/zfs-aes-256.key keytype=aes keylen=256

root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# chmod +r /var/apache2/2.2/htdocs/zfs-aes-256.key
root@myhttps:/etc/apache2/2.2# ls -l /var/apache2/2.2/htdocs/zfs-aes-256.key
-r--r--r-- 1 root root 32 Jun 8 17:41 /var/apache2/2.2/htdocs/zfs-aes-256.key
root@myhttps:/etc/apache2/2.2#

By default the key is readable only by the user that creates it, in this case "root". If you don't make it readable by all, since Apache runs as "daemon" by default, you will not be able to access it over HTTP/HTTPS.

Starting the Web Server


Now that I have done all my configurations, lets start it up.
root@myhttps:/etc/apache2/2.2# svcs *apache* 
STATE STIME FMRI
disabled 17:20:17 svc:/network/http:apache22
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# svcadm enable apache22
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# svcs *apache*
STATE STIME FMRI
online 17:44:01 svc:/network/http:apache22
root@myhttps:/etc/apache2/2.2#

One final check to make sure all services are running fine.
root@myhttps:/etc/apache2/2.2# svcs -x 
root@myhttps:/etc/apache2/2.2#
root@myhttps:/etc/apache2/2.2# netstat -anf inet
...
TCP: IPv4
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ------- ------ ------- ------ -----------
127.0.0.1.5999 *.* 0 0 128000 0 LISTEN
*.111 *.* 0 0 128000 0 LISTEN
*.* *.* 0 0 128000 0 IDLE
*.111 *.* 0 0 128000 0 LISTEN
*.* *.* 0 0 128000 0 IDLE
*.22 *.* 0 0 128000 0 LISTEN
*.22 *.* 0 0 128000 0 LISTEN
127.0.0.1.4999 *.* 0 0 128000 0 LISTEN
127.0.0.1.25 *.* 0 0 128000 0 LISTEN
127.0.0.1.587 *.* 0 0 128000 0 LISTEN
*.* *.* 0 0 128000 0 IDLE*.443 *.* 0 0 128000 0 LISTEN
*.* *.* 0 0 128000 0 IDLE
root@myhttps:/etc/apache2/2.2#

Everything looks good. On to the Zone where I will do the ZFS work.

Creating an Encrypted File System using a Keystore via HTTPS


Adding Self Signed Certificate to an HTTPS Client


I need to do two steps to be able to access the https service. First, I need to load the certificate for the web server into the local CA directory. I get this certificate using the "openssl" command.

Here is the complete output. To end the command, enter " D". (It doesn't show up in the output.)

root@ezfs:~# openssl s_client -connect 192.168.1.180:443 
CONNECTED(00000003)
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=NJ/L=MyHost180/O=Oracle/OU=SEweb/CN=192.168.1.180/emailAddress=host180@steffen.steffen
i:/C=US/ST=NJ/L=MyTown/O=Oracle/OU=SE/CN=192.168.1.180/emailAddress=steffen@steffen.steffen
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDljCCAn4CCQCfpX0OhjSiMTANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAk5KMQ8wDQYDVQQHDAZNeVRvd24xDzANBgNVBAoMBk9yYWNs
ZTELMAkGA1UECwwCU0UxFjAUBgNVBAMMDTE5Mi4xNjguMS4xODAxJjAkBgkqhkiG
9w0BCQEWF3N0ZWZmZW5Ac3RlZmZlbi5zdGVmZmVuMB4XDTE2MDYwODIxMzkwNloX
DTE5MDMwNTIxMzkwNlowgY8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOSjESMBAG
A1UEBwwJTXlIb3N0MTgwMQ8wDQYDVQQKDAZPcmFjbGUxDjAMBgNVBAsMBVNFd2Vi
MRYwFAYDVQQDDA0xOTIuMTY4LjEuMTgwMSYwJAYJKoZIhvcNAQkBFhdob3N0MTgw
QHN0ZWZmZW4uc3RlZmZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AM4wzBQRsqz2lwH1sauTSnx6fpig40EBaFHRLCblvWgAYLgTY1ccV39X2zryjKIM
u0vDnBALQOu4/IMZ+7tcZNnSBPrKhqC/YgwWmY0GINvbFG0AQ1aIm/KEqeHLzVhu
EAjGc1tUvhWT1MxvooHshtR1KGzZv9gq6fnBprqOz0Es6VNWPLX3rmkryFhlE+tY
HOhEgBAMEhiQ6Ait/pORMGG5XRaLkXsXNjrEHD8YXD4VbvPl8GoMQCwSZ9M3DFA1
8IfpDaB5ByUihhFWV2NxcBBfCqCBd6v0bdh1nyAJ5zhZGmEHYztt13WqiJ315pgy
yhXnAne0SDycdRQrxpPs21ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAY+2RTjLy
lWaaHO4xDYGuDW8k2XkxsH+BkRcDtRM0g1iliHgQLSxGqdsKr4fK4WWC7Vbfm0Cb
l47T3ny+rNvyT6ac/VhfwI/GDIOGwV+mzoVio5QlZh601gclDv5M4j8633Wr/SCc
c8ZFB6FOAfqaLDtZryfHCUbppL2AnSPY6JFQG4Cv5Uo/nTTs4vyL4JwRl/cQNLXY
6GCQRMjAwrfdjj2wBczrbEK1qzu0gD4crkB/XpyJFZq32RSvWtE3nVV9GU93ErLY
C1BxQHvrYYWVlIv59sIQ4DYec0b/mxs9HnjHVA4sveTg1CjUXRY+eYpPF7OlHa9v
2EV4l7T2IB0ZLg==
-----END CERTIFICATE-----

subject=/C=US/ST=NJ/L=MyHost180/O=Oracle/OU=SEweb/CN=192.168.1.180/emailAddress=host180@steffen.steffen
issuer=/C=US/ST=NJ/L=MyTown/O=Oracle/OU=SE/CN=192.168.1.180/emailAddress=steffen@steffen.steffen
---
No client certificate CA names sent
---
SSL handshake has read 2055 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 552375FF9881568181BC0DCEBBD238D913DCB55381FD9A2ADED7413B00AC9078
Session-ID-ctx:
Master-Key: F8D5B3E7C4FF7B8396FAEC8FAEBA0865E8790335E1A09B9703F217125C5D3EB7220D79E24F4510C35F8E500DFFC1C06D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c1 35 38 cb eb 88 92 85-28 50 7e c5 cc 4f f8 4d .58.....(P~..O.M
0010 - 64 a7 61 7f 8f bb 09 8b-c3 b6 0b fe a4 1f 50 ce d.a...........P.
0020 - d5 b2 0c 82 97 9a 86 69-d2 76 ea d1 19 f3 40 fb .......i.v....@.
0030 - 0e 95 6b cd 9d e2 09 f5-de 52 bb 14 c7 f9 fc 6f ..k......R.....o
0040 - 1c 39 7f e3 3b 9a 9b 95-be 79 df 39 19 fc f3 6f .9..;....y.9...o
0050 - 6a 12 7a 5b b5 ea 1e 03-6f 44 01 b5 74 8b 7c 4f j.z[....oD..t.|O
0060 - 7a 61 8a d0 39 bb 7f 72-f1 99 81 57 57 2d b3 e1 za..9..r...WW-..
0070 - 70 82 1b 87 33 35 95 15-62 05 07 46 bc 6f ab f1 p...35..b..F.o..
0080 - c6 06 5a c3 4d 86 9d d0-db 2f 9a d4 70 97 98 9b ..Z.M..../..p...
0090 - 41 74 bb dd 03 33 7c dd-c2 20 ad bc ac c1 29 ad At...3|.. ....).
00a0 - de dd 72 8a 8b 32 74 10-8d 9b 45 38 f5 27 a3 d3 ..r..2t...E8.'..
00b0 - e1 f6 d1 d6 0b 07 6e 08-cf 76 2c 7a 51 25 c6 b3 ......n..v,zQ%..
Start Time: 1465422516
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
root@ezfs:~#

I need the text between the "BEGIN" and "END CERTIFICATE" lines, including those lines. I send the output to a file, and then remove the content except the "CERTIFICATE" part.
root@ezfs:~# openssl s_client -connect 192.168.1.180:443 > /tmp/host180.pem 
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = NJ, L = MyHost180, O = Oracle, OU = SEweb, CN = 192.168.1.180, emailAddress = host180@steffen.steffen
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
root@ezfs:~#
root@ezfs:~# vi /tmp/host180.pem
root@ezfs:~#
root@ezfs:~# cat /tmp/host180.pem
-----BEGIN CERTIFICATE-----
MIIDljCCAn4CCQCfpX0OhjSiMTANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAk5KMQ8wDQYDVQQHDAZNeVRvd24xDzANBgNVBAoMBk9yYWNs
ZTELMAkGA1UECwwCU0UxFjAUBgNVBAMMDTE5Mi4xNjguMS4xODAxJjAkBgkqhkiG
9w0BCQEWF3N0ZWZmZW5Ac3RlZmZlbi5zdGVmZmVuMB4XDTE2MDYwODIxMzkwNloX
DTE5MDMwNTIxMzkwNlowgY8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOSjESMBAG
A1UEBwwJTXlIb3N0MTgwMQ8wDQYDVQQKDAZPcmFjbGUxDjAMBgNVBAsMBVNFd2Vi
MRYwFAYDVQQDDA0xOTIuMTY4LjEuMTgwMSYwJAYJKoZIhvcNAQkBFhdob3N0MTgw
QHN0ZWZmZW4uc3RlZmZlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AM4wzBQRsqz2lwH1sauTSnx6fpig40EBaFHRLCblvWgAYLgTY1ccV39X2zryjKIM
u0vDnBALQOu4/IMZ+7tcZNnSBPrKhqC/YgwWmY0GINvbFG0AQ1aIm/KEqeHLzVhu
EAjGc1tUvhWT1MxvooHshtR1KGzZv9gq6fnBprqOz0Es6VNWPLX3rmkryFhlE+tY
HOhEgBAMEhiQ6Ait/pORMGG5XRaLkXsXNjrEHD8YXD4VbvPl8GoMQCwSZ9M3DFA1
8IfpDaB5ByUihhFWV2NxcBBfCqCBd6v0bdh1nyAJ5zhZGmEHYztt13WqiJ315pgy
yhXnAne0SDycdRQrxpPs21ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAY+2RTjLy
lWaaHO4xDYGuDW8k2XkxsH+BkRcDtRM0g1iliHgQLSxGqdsKr4fK4WWC7Vbfm0Cb
l47T3ny+rNvyT6ac/VhfwI/GDIOGwV+mzoVio5QlZh601gclDv5M4j8633Wr/SCc
c8ZFB6FOAfqaLDtZryfHCUbppL2AnSPY6JFQG4Cv5Uo/nTTs4vyL4JwRl/cQNLXY
6GCQRMjAwrfdjj2wBczrbEK1qzu0gD4crkB/XpyJFZq32RSvWtE3nVV9GU93ErLY
C1BxQHvrYYWVlIv59sIQ4DYec0b/mxs9HnjHVA4sveTg1CjUXRY+eYpPF7OlHa9v
2EV4l7T2IB0ZLg==
-----END CERTIFICATE-----
root@ezfs:~#

I copy the file into the Certificate Authority directory.
root@ezfs:~# cp /tmp/host180.pem /etc/certs/CA/ 
root@ezfs:~#

Because this is a Self Signed Certificate, I also need the file I use to sign certificates. That is on the web server.
root@ezfs:~# scp guest@192.168.1.180:/etc/apache2/2.2/CA.d/host180CA.pem /tmp 
The authenticity of host '192.168.1.180 (192.168.1.180)' can't be established.
RSA key fingerprint is 1b:62:9b:5c:42:f9:44:c9:d1:81:99:c4:e3:c0:3f:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.180' (RSA) to the list of known hosts.
Password: XXX
host180CA.pem 100% |**********************************************| 1415 00:00
root@ezfs:~#
root@ezfs:~# cp /tmp/host180CA.pem /etc/certs/CA/
root@ezfs:~#

With both files in the directory, I have the CA service refresh to read the files.
root@ezfs:~# svcs *cert* 
STATE STIME FMRI
online 17:01:51 svc:/system/ca-certificates:default
root@ezfs:~#
root@ezfs:~# svcadm refresh ca-certificates
root@ezfs:~#
root@ezfs:~# svcs *cert*
STATE STIME FMRI
online 17:53:56 svc:/system/ca-certificates:default
root@ezfs:~#

Any easy way I found to verify that this works is the "wget(1)" command. Its output is useful in understanding when my certificates are not working as well.
root@ezfs:~# (cd /tmp ; wget https://192.168.1.180/zfs-aes-256.key ) 
--2016-06-08 17:54:10-- https://192.168.1.180/zfs-aes-256.key
Connecting to 192.168.1.180:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32 [text/plain]
Saving to: ‘zfs-aes-256.key’
zfs-aes-256.key 100%[=================================>] 32 --.-KB/s in 0s
2016-06-08 17:54:10 (3.57 MB/s) - ‘zfs-aes-256.key’ saved [32/32]
root@ezfs:~#
root@ezfs:~# rm /tmp/zfs-aes-256.key
root@ezfs:~#

I delete the file right away as I only want it accessible via https.

Create the ZFS File Systems


Now to the real tack at hand, creating a ZFS file system with encryption and the wrapping key accessed using https. I also create one that requires manual input to show the difference. I am using the "rpool/export" directory as my base.
root@ezfs:~# zfs list 
NAME USED AVAIL REFER MOUNTPOINT
rpool 61.6M 156G 144K /rpool
rpool/ROOT 58.1M 156G 144K legacy
rpool/ROOT/solaris-0 58.1M 156G 1.48G /
rpool/ROOT/solaris-0/var 2.60M 156G 174M /var
rpool/VARSHARE 3M 156G 2.76M /var/share
rpool/VARSHARE/pkg 296K 156G 152K /var/share/pkg
rpool/VARSHARE/pkg/repositories 144K 156G 144K /var/share/pkg/repositories
rpool/export 360K 156G 152K /export
rpool/export/home 256K 156G 152K /export/home
rpool/export/home/guest 152K 156G 152K /export/home/guest
root@ezfs:~#
root@ezfs:~# zfs create -o encryption=on \
-o keysource=passphrase,prompt rpool/export/prompt

Enter passphrase for 'rpool/export/prompt': XXX
Enter again: XXX
root@ezfs:~#
root@ezfs:~# zfs create -o encryption=on \
-o keysource=raw,https://192.168.1.180:443/zfs-aes-256.key rpool/export/https

root@ezfs:~#

I put some data into the two file system to test with later.
root@ezfs:~# date > /export/https/date 
root@ezfs:~# date > /export/prompt/date
root@ezfs:~#
root@ezfs:~# ls /export/*
/export/home:
guest
/export/https:
date
/export/prompt:
date
root@ezfs:~# more /export/*/date
::::::::::::::
/export/https/date
::::::::::::::
Wednesday, June 8, 2016 05:59:59 PM EDT
::::::::::::::
/export/prompt/date
::::::::::::::
Wednesday, June 8, 2016 06:00:07 PM EDT
root@ezfs:~#
root@ezfs:~# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 61.9M 156G 144K /rpool
rpool/ROOT 58.1M 156G 144K legacy
rpool/ROOT/solaris-0 58.1M 156G 1.48G /
rpool/ROOT/solaris-0/var 2.60M 156G 174M /var
rpool/VARSHARE 3M 156G 2.76M /var/share
rpool/VARSHARE/pkg 296K 156G 152K /var/share/pkg
rpool/VARSHARE/pkg/repositories 144K 156G 144K /var/share/pkg/repositories
rpool/export 720K 156G 168K /export
rpool/export/home 256K 156G 152K /export/home
rpool/export/home/guest 152K 156G 152K /export/home/guest
rpool/export/https 172K 156G 172K /export/https
rpool/export/prompt 172K 156G 172K /export/prompt

root@ezfs:~#
root@ezfs:~# halt
[Connection to zone 'ezfs' pts/10 closed]

Validating Hands-Free Operation After a Reboot


The keys for encrypted ZFS file system are only required when they are first accessed. I am using Solaris Zones, and don't want to reboot my system. So to simulate a reboot I "unload" the keys for all the file system in the zone. (There is only one file system with a key, however, this would do all if there were more than one.)
root@global# zfs key -u -r pool1/zones/ezfs 
root@global#
root@global# zoneadm -z ezfs boot
root@global#

Test and Manually Mount the "prompt" File System


Once the zone boots, lets check what data is available.
root@global# zlogin ezfs 
[Connected to zone 'ezfs' pts/10]
Last login: Wed Jun 8 17:05:53 2016 on pts/10
Oracle Corporation SunOS 5.11 11.3 March 2016
root@ezfs:~# 
root@ezfs:~# ls /export/*
/export/home:
guest
/export/https:
date
/export/prompt:
root@ezfs:~#
root@ezfs:~# more /export/*/date
Wednesday, June 8, 2016 05:59:59 PM EDT
root@ezfs:~#

As you can see, only the "https" directory shows the "date" file. I manually mount the "prompt" file system.
root@ezfs:~# zfs mount rpool/export/prompt 
Enter passphrase for 'rpool/export/prompt': XXX
root@ezfs:~#
root@ezfs:~# more /export/*/date
::::::::::::::
/export/https/date
::::::::::::::
Wednesday, June 8, 2016 05:59:59 PM EDT
::::::::::::::
/export/prompt/date
::::::::::::::
Wednesday, June 8, 2016 06:00:07 PM EDT
root@ezfs:~#

Now both "date" files are available.

Summary


This was a quick and simple walk through of the steps to automatically mount an encrypted file system without using a local keysource file. Thank you and good luck with you ZFS experiences!

Steffen

Appreciations


Thanks to DarrenM for his repeated replies to my email requests for help, and to BartS for his quick reply as well.

Thank you to "The Data Center Overlords" for the high level steps that got me started on how to set up my own Certificate Authority and server certificates.

Revision History

(Other than minor typographical changes)

2016.06.08: Posted

2016.06.08: Created

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.