Encrypting existing file system data

Existing zFS file systems can be encrypted. The zFS aggregate that contains these file systems does not need to be SMS-managed extended format.

Before file system data can be encrypted, these requirements must be met:
  1. Integrated Cryptographic Service Facility (ICSF) must be active.
  2. The file system that contains the data to be encrypted must be mounted in read/write mode.
Important: Before an existing file system has a key label assigned to it, or is encrypted for the first time, do a full backup of the file system.
If you must back out to a release that is prior to V2R3, any file systems that are encrypted or have key labels assigned to them cannot be owned on a system running the prior release. You may also need to back out the file system by taking one of the following actions:
  • Restore a version of the file system that was backed up prior to encrypting it or assigning a key label to it.
  • Create a new file system that does not have a key label assigned to it and follow the migration procedures in Migrating data from HFS or zFS to zFS.

If you cancel an encryption that is in progress, the file system remains partially encrypted. However, leaving file systems partially encrypted might have performance impacts. You can resume the encryption later with another zfsadm encrypt command.

Use the zfsadm encrypt command to encrypt the existing file system. You can use the -cancel option to cancel the encryption of the existing file system or reverse it with the zfsadm decrypt command. If the file system does not have a key label, you can specify it when you are encrypting it with the zfsadm encrypt command by specifying the -keylabel keyword.

The following example uses zfsadm encrypt to encrypt the data in an existing zFS aggregate. 
                 zfsadm encrypt -aggregate  PLEX.DCEIMGNJ.BIGENC -keylabel PROTKEY.AES.SECURE.KEY.32BYTE
                 IOEZ00877I Aggregate PLEX.DCEIMGNJ.BIGENC is successfully encrypted.
The following example uses the -cancel option of zfsadm encrypt to cancel the encryption of a zFS aggregate. 
                     zfsadm encrypt -aggregate PLEX.DCEIMGNJ.BIGENC -cancel
                     IOEZ00892I Aggregate PLEX.DCEIMGNJ.BIGENC encrypt or decrypt successfully canceled.
Then use zfsadm fsinfo to display the encryption status:
zfsadm fsinfo -aggregate PLEX.DCEIMGNJ.BIGENC
File System Name: PLEX.DCEIMGNJ.BIGENC
*** owner information ***
..........
Status: RW,RS,EI,NC
...
...
Encrypt Progress: stopped, 23% 
...
Legend: RW=Read-write, RS=Mounted RWSHARE, EI=Partially encrypted
NC=Not compressed