Skip to content

Encryption

Encryption at rest via ZFS native encryption or LUKS. The key never touches PutFS.

ZFS native encryption (per-dataset)

zfs create \
    -o encryption=aes-256-gcm \
    -o keylocation=prompt \
    -o keyformat=passphrase \
    tank/putfs/acme-corp/sensitive

Key management

# Load key (after reboot)
zfs load-key tank/putfs/acme-corp/sensitive

# Change key
zfs change-key tank/putfs/acme-corp/sensitive

# Key from file
zfs create \
    -o encryption=aes-256-gcm \
    -o keylocation=file:///etc/zfs/keys/sensitive.key \
    -o keyformat=raw \
    tank/putfs/acme-corp/sensitive

LUKS (any filesystem)

Full-disk or per-partition encryption. Works with ext4, XFS, btrfs:

# Create encrypted volume
cryptsetup luksFormat /dev/sda1
cryptsetup open /dev/sda1 putfs-data
mkfs.ext4 /dev/mapper/putfs-data
mount /dev/mapper/putfs-data /srv/putfs

Less granular than ZFS (whole volume, not per-dataset), but works on any filesystem.

Further reading

OpenZFS encryption (properties section)
LUKS / dm-crypt