I have got this encrypted dataset:

```

NAME PROPERTY VALUE SOURCE

tank/storage/test encryption aes-256-ccm -

```

as you can see, the key source is "-". The system mounts the dataset just fine automatically after a reboot. I am wondering where is the key is stored?

Look for "keylocation" "keyformat" and "pbkdf2iters" properties in this dataset?

`zfs get keylocation,keyformat,pbkdf2iters tank/storage/test ` ?

And that's not the "key source" that's the "Source of who set this property".

E.g.

[root@moe (kebecloud) ~]# zfs get volblocksize zones/swap

NAME PROPERTY VALUE SOURCE

zones/swap volblocksize 4K -

[root@moe (kebecloud) ~]#

That swap zvol was created with 4k.

zones/swap sync always local

Changed locally.

My unencrypted boot pool's top-level ZFS filesystem has encryption properties even if it's a cleartext one:

bootpool encryption off default

bootpool keylocation none default

bootpool keyformat none default

bootpool pbkdf2iters 0 default

I'll bet yours, szilard , are far more instructive.

SOURCE column is not for key source, it is where from the property value is coming.

^^^ better stated than what I said (And that's not the "key source"....)

Thanks for the hints!

It says:

NAME PROPERTY VALUE SOURCE

tank/storage/test keylocation prompt local

tank/storage/test keyformat passphrase -

tank/storage/test pbkdf2iters 350000 -

so, if you enter. zfs load-key tank/storage/test, it will prompt for key

And what happens if i misremember the key

it will ask again:)

I dont want to risk locking the currently unlocked dataset.

it does not have built in locking system.

I wrote down the key, but i havent tested if it works and already stored some important info on the dataset. I am not prepared for the worst outcome.

pbkdf2iters will ensure you will not to get next try too quick, but thats about it.

Ok, i dont have the key here with me, so the test needs to wait till i get it. But thanks, i'll definetely test it.

Do i assume it correctly it will ask for the key and if the correct key entered it will somehow communicate the key is OK?

it will test if key is decrypting key, if so, the key is loaded into internal keystore and command will exit with status 0 (echo $?)

There arent too many up-to-date blogs about Solaris, but i found this, it can be interesting for you guys: c0t0d0s0.org

tsoome: thanks!

after that you can access the data as the data access functions will pick the key from keystore automatically

But i still dont know how the encrypted dataset gets mounted at boot. It didnt asks for a key, so it must be stored somewhere, or some trick is used.

the passphrase is converted to the actual key by pbkdf2 key derivation function.

mount does not really imply having the key

but accessing the data does

I can access the content of the dataset without needing to supply any key after the reboot.

um, are you sure the dataset is actually mounted?

maybe you did copy data to mountpoint and the dataset is in fact not mounted?

I am using the dataset attached to a sparse zone. Let me check...

you can check with df/mount/grep datasetname /etc/mnttab

Yep, it isnt mounted. I wrote into the mountpoint. Yeez.!

I need to fix this asap. Thanks for your help!

yw