aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Laager <[email protected]>2019-04-24 19:14:25 -0500
committerBrian Behlendorf <[email protected]>2019-04-24 17:14:24 -0700
commit2b127afb44d11bfddaf8ed95be18c7aefe7ea5de (patch)
tree5edf8577ae4fe75407bd008a4fa4063f29a287c6
parent6e81f9b21b1ba5649691d07143849665dd6108ad (diff)
Clarify and improve encryption documentation
- Remove the language that "all user data" is encrypted. This is to avoid misunderstandings or arguments about what is "user data", especially in light of "user properties". - Document that properties are unencrypted. - Document that snapshot names are unencrypted. - For consistency with the rest of the zfs.8 man page, use "ZFS" as the generic noun, not (bolded) "zfs". The latter refers to the command. Likewise, use "ZFS" instead of "the kernel module". - Give "a passphrase" as an example of a "user's key". Reviewed-by: Tom Caputi <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Reviewed-by: George Melikov <[email protected]> Signed-off-by: Richard Laager <[email protected]> Closes #8652
-rw-r--r--man/man8/zfs.827
1 files changed, 14 insertions, 13 deletions
diff --git a/man/man8/zfs.8 b/man/man8/zfs.8
index a8e859bdc..3b118ac3e 100644
--- a/man/man8/zfs.8
+++ b/man/man8/zfs.8
@@ -2380,17 +2380,19 @@ configuration is not supported.
.Ss Encryption
Enabling the
.Sy encryption
-feature allows for the creation of encrypted filesystems and volumes.
-.Nm
-will encrypt all user data including file and zvol data, file attributes,
-ACLs, permission bits, directory listings, FUID mappings, and userused /
-groupused data.
-.Nm
-will not encrypt metadata related to the pool structure, including dataset
-names, dataset hierarchy, file size, file holes, and dedup tables. Key rotation
-is managed internally by the kernel module and changing the user's key does not
-require re-encrypting the entire dataset. Datasets can be scrubbed, resilvered,
-renamed, and deleted without the encryption keys being loaded (see the
+feature allows for the creation of encrypted filesystems and volumes. ZFS
+will encrypt file and zvol data, file attributes, ACLs, permission bits,
+directory listings, FUID mappings, and
+.Sy userused
+/
+.Sy groupused
+data. ZFS will not encrypt metadata related to the pool structure, including
+dataset and snapshot names, dataset hierarchy, properties, file size, file
+holes, and deduplication tables.
+.Pp
+Key rotation is managed by ZFS. Changing the user's key (e.g. a passphrase)
+does not require re-encrypting the entire dataset. Datasets can be scrubbed,
+resilvered, renamed, and deleted without the encryption keys being loaded (see the
.Nm zfs Cm load-key
subcommand for more info on key loading).
.Pp
@@ -2432,8 +2434,7 @@ read-only
.Sy encryptionroot
property.
.Pp
-Encryption changes the behavior of a few
-.Nm
+Encryption changes the behavior of a few ZFS
operations. Encryption is applied after compression so compression ratios are
preserved. Normally checksums in ZFS are 256 bits long, but for encrypted data
the checksum is 128 bits of the user-chosen checksum and 128 bits of MAC from