20:24:43 I have got this encrypted dataset: 20:24:46 ``` 20:24:48 NAME PROPERTY VALUE SOURCE 20:24:51 tank/storage/test encryption aes-256-ccm - 20:24:54 ``` 20:24:56 as you can see, the key source is "-". The system mounts the dataset just fine automatically after a reboot. I am wondering where is the key is stored? 21:07:25 Look for "keylocation" "keyformat" and "pbkdf2iters" properties in this dataset? 21:07:47 `zfs get keylocation,keyformat,pbkdf2iters tank/storage/test ` ? 21:08:31 And that's not the "key source" that's the "Source of who set this property". 21:08:53 E.g. 21:09:37 [root@moe (kebecloud) ~]# zfs get volblocksize zones/swap 21:09:37 NAME PROPERTY VALUE SOURCE 21:09:37 zones/swap volblocksize 4K - 21:09:39 [root@moe (kebecloud) ~]# 21:09:44 That swap zvol was created with 4k. 21:10:03 zones/swap sync always local 21:10:08 Changed locally. 21:11:43 My unencrypted boot pool's top-level ZFS filesystem has encryption properties even if it's a cleartext one: 21:11:46 bootpool encryption off default 21:11:47 bootpool keylocation none default 21:11:47 bootpool keyformat none default 21:11:48 bootpool pbkdf2iters 0 default 21:12:23 I'll bet yours, szilard , are far more instructive. 21:20:02 SOURCE column is not for key source, it is where from the property value is coming. 21:31:13 ^^^ better stated than what I said (And that's not the "key source"....) 21:36:22 Thanks for the hints! 21:36:27 It says: 21:36:30 NAME PROPERTY VALUE SOURCE 21:36:31 tank/storage/test keylocation prompt local 21:36:31 tank/storage/test keyformat passphrase - 21:36:31 tank/storage/test pbkdf2iters 350000 - 21:38:08 so, if you enter. zfs load-key tank/storage/test, it will prompt for key 21:43:15 And what happens if i misremember the key 21:44:06 it will ask again:) 21:44:24 I dont want to risk locking the currently unlocked dataset. 21:45:26 it does not have built in locking system. 21:45:52 I wrote down the key, but i havent tested if it works and already stored some important info on the dataset. I am not prepared for the worst outcome. 21:46:30 pbkdf2iters will ensure you will not to get next try too quick, but thats about it. 21:47:41 Ok, i dont have the key here with me, so the test needs to wait till i get it. But thanks, i'll definetely test it. 21:48:58 Do i assume it correctly it will ask for the key and if the correct key entered it will somehow communicate the key is OK? 21:51:10 it will test if key is decrypting key, if so, the key is loaded into internal keystore and command will exit with status 0 (echo $?) 21:51:23 There arent too many up-to-date blogs about Solaris, but i found this, it can be interesting for you guys: https://www.c0t0d0s0.org/ 21:51:39 tsoome: thanks! 21:52:02 after that you can access the data as the data access functions will pick the key from keystore automatically 21:52:50 But i still dont know how the encrypted dataset gets mounted at boot. It didnt asks for a key, so it must be stored somewhere, or some trick is used. 21:52:53 the passphrase is converted to the actual key by pbkdf2 key derivation function. 21:53:27 mount does not really imply having the key 21:53:50 but accessing the data does 21:54:09 I can access the content of the dataset without needing to supply any key after the reboot. 21:55:08 um, are you sure the dataset is actually mounted? 21:55:55 maybe you did copy data to mountpoint and the dataset is in fact not mounted? 21:56:35 I am using the dataset attached to a sparse zone. Let me check... 21:56:44 you can check with df/mount/grep datasetname /etc/mnttab 22:02:15 Yep, it isnt mounted. I wrote into the mountpoint. Yeez.! 22:02:49 I need to fix this asap. Thanks for your help! 22:03:07 yw