Example 1: ---------- Encrypted dataset with key scope of pool. Pool key in file: # zpool set keysource=raw,file:///rmdisk/keyring1/tank.key tank # zpool key -l tank $ zfs create -o encryption=on tank/home/bob/Documents $ Example 2: ---------- Encrypted dataset with key scope of pool, prompt for passphrase: # zpool set keysource=passphrase,prompt tank # zpool key -l tank Enter passphrase: ******** Re-enter passphrase: ******** # [ The Re-enter only happens the first time a passphrase is entered ] ... $ zfs create -o encryption=on tank/home/bob/Documents Example 3: ---------- Changing the pool level key file: The old key has to have been loaded before a key change can happen. # zpool set keysource=raw,file:///rmdisk/keyring1/200712 tank ... # zpool key -l tank ... # zpool key -c -o keysource=raw,file:///rmdisk/keyring2/200801 tank # Example 4: ---------- Change the pool level passphrase: # zpool key -c tank Enter existing passphrase: ******** Enter new passphrase: ******** Re-enter new passphrase: ******** # Example 5: ---------- Key scope of dataset with raw key, generated by pktool, in a file: $ pktool genkey keystore=file outfile=mykey outdir=/rmdisk/stick-1 \ keytype=aes keylen=256 $ zfs create -o keyscope=dataset \ -o keysource=raw,file:///rmdisk/stick-1/mykey tank/home/bob $ cd /tank/home/bob Example 6: ---------- Hex version of key, generated by pktool with print=y, in file: $ pktool genkey keystore=file outfile=mykey outdir=/rmdisk/stick-1 \ keytype=aes keylen=256 Key Value ="5321de1dadc926b05eaf5f793686346b" $ echo "5321de1dadc926b05eaf5f793686346b\c" > /rmdisk/stick-1/mykey $ zfs create -o keyscope=dataset \ -o keysource=hex,file:///rmdisk/stick-1/mykey tank/home/bob $ cd /tank/home/bob Example 7: ---------- Hex version of key, generated by pktool with print=y, prompted: $ pktool genkey outfile=/dev/null keytype=aes keylen=256 print=y $ zfs create -o keyscope=dataset -o keysource=hex,prompt tank/home/bob Enter key: ******************************** $ Example 8: ---------- Key is a per dataset passphrase that we prompt for: $ zfs create -o keyscope=dataset -o keysource=passphrase,prompt tank/home/bob Enter passphrase: Re-enter passphrase: $ After reboot (or pool export/import) reload the key $ zfs key -l tank/home/bob Enter passphrase: $ cd /tank/home/bob $ Example 9: ---------- Changing the passphrase for keyscope dataset: [If the dataset was mounted it will remain mounted during the change] $ zfs key -c tank/home/bob Changing key for tank/home/bob Enter existing passphrase: Enter new passphrase: Re-Enter new passphrase: $ Example 10: ----------- Key is a per dataset passphrase but it is stored in a file: $ zfs create -o keysource=passphrase,file:///rmdisk/stick-1/mypass \ tank/home/bob $ zfs key -l tank/home/bob $ Example 11: ----------- Key is stored in a pkcs11 token as a private object (ie the PIN is requried to view/use the key object). # First create the key with pktool $ pktool genkey keystore=pkcs11 token="Bob's Card" label=ek1 \ keytype=aes keylen=256 Enter PIN for Bob's Card: ***** $ $ zfs create -o keyscope=dataset \ -o keysource=token,pkcs11://token="Bob's Card";label=ek1;getpin=prompt\ tank/home/bob $ zfs key -l tank/home/bob Enter PIN for Bob's Card: ******** $ Example 12: ----------- Key is stored in a pkcs11 token as a public object (ie the PIN is NOT requried to view/use the key object). In this example keyscope is inherited from a parent dataset. # zfs set keyscope=dataset tank/home $ zfs create -o keysource=token,pkcs11://token="Bob's Card";label=ek1 tank/home/bob $ zfs key -l tank/home/bob $ END OF EXAMPLES