Encryption

Encryption protects data stored in datasets and zvols within a ZFS pool (zpool). The encryption feature is available for every zpool, but encrypted resources can be created only after you configure a pool-wide encryption passphrase.

Key characteristics:

• Encryption applies to datasets and zvols; the zpool itself is not encrypted.
• All encrypted resources in one zpool share the same passphrase.
• Datasets and zvols can only be encrypted during their creation.
• You can later change the pool-wide encryption passphrase and the default encryption method.

Use encryption when you need at-rest data protection within a specific zpool.

1. Go to Storage.
2. Select the zpool you want to configure.
3. Open the Configuration tab.
4. Expand the Resource encryption section.

You will see either the initial configuration fields or the current encryption status, depending on whether encryption was already configured or was configured during zpool creation. When no passphrase is configured for a zpool, the Resource encryption section shows:

• Default encryption method – algorithm that is preselected in the drop-down list and used by default for new encrypted datasets and zvols in this zpool, if you do not choose a different method during resource creation.
• Encryption passphrase – shared passphrase used to unlock all encrypted resources in this zpool.
• Confirm passphrase – repeat the passphrase for verification.

Enter the passphrase twice, select the default method, and then click Save settings.

Important: The passphrase cannot be recovered if it is lost. Without the passphrase, encrypted resources in this zpool cannot be accessed. 

Once the passphrase is configured, you can start creating encrypted datasets and zvols in this zpool. More details on how to use encryption in resources can be found here:

• Create a new zvol for iSCSI Target
• Create a new zvol for FC Group
• Create a new dataset

Notes:

• Encryption can be enabled only at creation time. Existing datasets and zvols cannot be switched to encrypted mode by editing their properties.
• To protect existing data that is currently unencrypted, you must:
  • Create a new encrypted dataset or zvol.
  • Copy or replicate data from the old resource to the new encrypted one.
  • Remove the unencrypted original if it is no longer needed.

When a passphrase is already configured, the Resource encryption section shows:

• Passphrase status (for example, configured).
• Default encryption method.
• Buttons:
  • Change passphrase
  • Change encryption method

1. Click Change passphrase.
2. In the dialog:
   1. Enter New passphrase.
   2. Confirm passphrase.
   3. Enter the Administrator password to authorize the change.
3. Click Change passphrase.

After you confirm the change, the new passphrase is propagated to all existing encrypted datasets and zvols in the zpool. This synchronization may take some time, depending on the number of encrypted resources. A notification of the operation's start and completion is recorded in Event Viewer.

While the synchronization is in progress, the User Interface is locked for changes and cannot be used until the operation finishes. 

1. Click Change encryption method.
2. Select a new Default encryption method from the drop-down list.
3. Click Save method.

The selected method is displayed as default only for encrypted datasets and zvols created after this change. Existing encrypted resources keep their original encryption method which cannot be changed.

The following methods are available for resource encryption:

AES-128-CCM

• AES with a 128-bit key in CCM (Counter with CBC-MAC) mode.
• Provides authenticated encryption with moderate CPU usage.
• Suitable when you need a balance between performance and security.

AES-192-CCM

• AES with a 192-bit key in CCM mode.
• Higher security margin than 128-bit, with slightly higher CPU cost.
• Use when you prefer stronger keys and can accept a small performance impact.

AES-256-CCM

• AES with a 256-bit key in CCM mode.
• Maximum key length in the CCM group.
• Use when the security margin is more important than performance.

AES-128-GCM

• AES with a 128-bit key in GCM (Galois/Counter Mode).
• Authenticated encryption optimized for performance on modern CPUs.
• Good choice when you need strong encryption with high throughput.

AES-192-GCM

• AES with a 192-bit key in GCM mode.
• Increases key size over AES-128-GCM while remaining performant.
• Use when you want a higher security margin but similar behavior to AES-128-GCM.

AES-256-GCM

• AES with a 256-bit key in GCM mode.
• Provides strong authenticated encryption and is widely used as a best-practice choice.
• Recommended default when your hardware can handle the additional CPU load.

If the encryption passphrase is invalid or not configured on the current host, all encrypted datasets and zvols in the affected zpool are locked and cannot be accessed. When a locked zvol is attached to an iSCSI target, FC group, or NVMe-oF subsystem, these objects are effectively blocked as well, and no data can be accessed through them. For an encrypted dataset, all shares configured on it are also blocked.

To restore access, enter the correct passphrase in Configuration → Resource encryption for the zpool. After a valid passphrase is provided, all locked, encrypted resources are automatically unlocked and become active again, provided that the related targets, groups, subsystems, or datasets were not manually deactivated beforehand.

Such situations may occur, for example, when a zpool is imported on a different host or moved between cluster nodes. In a cluster environment, the passphrase is usually synchronized between nodes, so after a failover, the other node already has the required passphrase. However, if the passphrase change operation was interrupted, some encrypted resources may have been updated to the new passphrase while others still use the old one. On the original host, access may still work, but after exporting the zpool and importing it on another host, some or all encrypted resources can become partially locked. In this case, an event is recorded in the Event Viewer indicating that the passphrase change did not complete successfully.

If this happens, first try to unlock the resources by entering the latest passphrase (the one you intended to change to). If this does not unlock all encrypted resources, enter the previous passphrase (the one used before the change), allow the passphrase change process to complete, and then change the passphrase again to the desired new value. This sequence should unify the passphrase across all encrypted resources in the zpool. Always monitor Event Viewer logs when working with encrypted resources and when changing passphrases.