Encrypting existing file system data
Existing zFS file systems can be encrypted. The zFS aggregate that contains these file systems does not need to be SMS-managed extended format.
- Integrated Cryptographic Service Facility (ICSF) must be active.
- The file system that contains the data to be encrypted must be mounted in read/write mode.
- Restore a version of the file system that was backed up prior to encrypting it or assigning a key label to it.
- Create a new file system that does not have a key label assigned to it and follow the migration procedures in Migrating data from HFS or zFS to zFS.
If you cancel an encryption that is in progress, the file system remains partially encrypted. However, leaving file systems partially encrypted might have performance impacts. You can resume the encryption later with another zfsadm encrypt command.
Use the zfsadm encrypt command to encrypt the existing file system. You can use the -cancel option to cancel the encryption of the existing file system or reverse it with the zfsadm decrypt command. If the file system does not have a key label, you can specify it when you are encrypting it with the zfsadm encrypt command by specifying the -keylabel keyword.
zfsadm encrypt -aggregate PLEX.DCEIMGNJ.BIGENC -keylabel PROTKEY.AES.SECURE.KEY.32BYTE
IOEZ00877I Aggregate PLEX.DCEIMGNJ.BIGENC is successfully encrypted.
zfsadm encrypt -aggregate PLEX.DCEIMGNJ.BIGENC -cancel
IOEZ00892I Aggregate PLEX.DCEIMGNJ.BIGENC encrypt or decrypt successfully canceled.
zfsadm fsinfo -aggregate PLEX.DCEIMGNJ.BIGENC
File System Name: PLEX.DCEIMGNJ.BIGENC
*** owner information ***
..........
Status: RW,RS,EI,NC
...
...
Encrypt Progress: stopped, 23%
...
Legend: RW=Read-write, RS=Mounted RWSHARE, EI=Partially encrypted
NC=Not compressed