diff options
author | Tom Caputi <[email protected]> | 2017-09-12 16:15:11 -0400 |
---|---|---|
committer | Tom Caputi <[email protected]> | 2017-10-11 16:54:48 -0400 |
commit | 4807c0badb130ae70cf6f0887b4be1648f217f1a (patch) | |
tree | cfc0312e79f82eceda66d142726a122191cea099 /man/man8/zfs.8 | |
parent | 94d49e8f9bd2e58a783066327c84b7d3b605ac0f (diff) |
Encryption patch follow-up
* PBKDF2 implementation changed to OpenSSL implementation.
* HKDF implementation moved to its own file and tests
added to ensure correctness.
* Removed libzfs's now unnecessary dependency on libzpool
and libicp.
* Ztest can now create and test encrypted datasets. This is
currently disabled until issue #6526 is resolved, but
otherwise functions as advertised.
* Several small bug fixes discovered after enabling ztest
to run on encrypted datasets.
* Fixed coverity defects added by the encryption patch.
* Updated man pages for encrypted send / receive behavior.
* Fixed a bug where encrypted datasets could receive
DRR_WRITE_EMBEDDED records.
* Minor code cleanups / consolidation.
Signed-off-by: Tom Caputi <[email protected]>
Diffstat (limited to 'man/man8/zfs.8')
-rw-r--r-- | man/man8/zfs.8 | 56 |
1 files changed, 43 insertions, 13 deletions
diff --git a/man/man8/zfs.8 b/man/man8/zfs.8 index 5b8f251d1..27c750d7e 100644 --- a/man/man8/zfs.8 +++ b/man/man8/zfs.8 @@ -2179,18 +2179,31 @@ and .Sy pbkdf2iters . After entering an encryption key, the created dataset will become an encryption root. Any descendant datasets will -inherit their encryption key from the encryption root, meaning that loading, -unloading, or changing the key for the encryption root will implicitly do the -same for all inheriting datasets. If this inheritence is not desired, simply -supply a new -.Sy encryption -and +inherit their encryption key from the encryption root by default, meaning that +loading, unloading, or changing the key for the encryption root will implicitly +do the same for all inheriting datasets. If this inheritance is not desired, +simply supply a .Sy keyformat when creating the child dataset or use .Nm zfs Cm change-key -to break the relationship. The one exception is that clones will always use -their origin's encryption key. Encryption root inheritence can be tracked via -the read-only +to break an existing relationship, creating a new encryption root on the child. +Note that the child's +.Sy keyformat +may match that of the parent while still creating a new encryption root, and +that changing the +.Sy encryption +property alone does not create a new encryption root; this would simply use a +different cipher suite with the same key as its encryption root. The one +exception is that clones will always use their origin's encryption key. +As a result of this exception, some encryption-related properties (namely +.Sy keystatus , +.Sy keyformat , +.Sy keylocation , +and +.Sy pbkdf2iters ) +do not inherit like other ZFS properties and instead use the value determined +by their encryption root. Encryption root inheritance can be tracked via the +read-only .Sy encryptionroot property. .Pp @@ -3165,7 +3178,10 @@ feature enabled. If the .Sy lz4_compress feature is active on the sending system, then the receiving system must have -that feature enabled as well. +that feature enabled as well. Datasets that are sent with this flag may not be +received as an encrypted dataset, since encrypted datasets cannot use the +.Sy embedded_data +feature. See .Xr zpool-features 5 for details on ZFS feature flags and the @@ -3248,7 +3264,10 @@ Include the dataset's properties in the stream. This flag is implicit when .Fl R is specified. -The receiving system must also support this feature. +The receiving system must also support this feature. Sends of encrypted datasets +must use +.Fl w +when using this flag. .It Fl v, -verbose Print verbose information about the stream package generated. This information includes a per-second report of how much data has been sent. @@ -3339,8 +3358,10 @@ feature enabled. If the .Sy lz4_compress feature is active on the sending system, then the receiving system must have -that feature enabled as well. Note that streams generated using this flag are -unable to be received into an encrypted dataset. +that feature enabled as well. Datasets that are sent with this flag may not be +received as an encrypted dataset, since encrypted datasets cannot use the +.Sy embedded_data +feature. See .Xr zpool-features 5 for details on ZFS feature flags and the @@ -3463,6 +3484,15 @@ is a special case because, even if is a read-only property and cannot be set, it's allowed to receive the send stream as a clone of the given snapshot. .Pp +Raw encrypted send streams (created with +.Nm zfs Cm send Fl w +) may only be received as is, and cannot be re-encrypted, decrypted, or +recompressed by the receive process. Unencrypted streams can be received as +encrypted datasets, either through inheritance or by specifying encryption +parameters with the +.Fl o +options. +.Pp The name of the snapshot .Pq and file system, if a full stream is received that this subcommand creates depends on the argument type and the use of the |