zfsadm decrypt

Purpose

zfsadm decrypt decrypts a zFS aggregate that was previously encrypted with DFSMS access method encryption.

Options

-aggregate name

Specifies the name of the aggregate to be decrypted. The aggregate name is not case-sensitive. It is always converted to uppercase.

-cancel

Cancels an in-progress decrypt operation for the specified aggregate.

-help

Prints the online help for this command. All other valid options that are specified with this option are ignored.

-level

Prints the level of the command. This option is useful when you are diagnosing a problem. Except for -help, all other valid options that are specified with -level are ignored.

-trace file_name

Specifies the name of the file that will have the trace records written into it. The trace file can be a z/OS UNIX file, an existing MVS sequential data set, or a member of either an existing partitioned data set (PDS) or partitioned data set extended (PDSE). Use this option only at the direction of IBM Support.

For information about preallocation instructions for debugging, see Step 5 (Optional) Preallocate data sets for debugging in zFS installation and configuration steps.

Because MVS data set names must be fully qualified, z/OS UNIX has special rules for specifying MVS data set names in the shell environment. For more information, see Specifying MVS data set names in the shell environment in z/OS UNIX System Services Command Reference.

Usage notes

1. The zfsadm decrypt command is a long-running administrative command that uses DFSMS access method decryption to decrypt an existing encrypted zFS aggregate.
2. The command must be issued from a z/OS V2R3 or later system, and the zFS file system must be zFS-owned on a z/OS V2R3 or later system. The aggregate must be at least aggregate version 1.5 and mounted read/write.
3. To process the decryption request, the long-running command thread pool must have an available foreground thread. See the IOEFSPRM configuration option long_cmd_threads for information about controlling the size of the long-running foreground and background thread pools. The option is described in IOEFSPRM.
4. A decryption operation can be interrupted by using the -cancel option or during a shutdown. It can also be interrupted when the shell command unmount or TSO/E command UNMOUNT is issued with the force option. If the decompress operation is interrupted, the zFS aggregate might be left with both decrypted and encrypted files. This partial state is allowed. You can issue another zfsadm decrypt command to resume the decrypt operation for the rest of files after it has been interrupted. You can also issue zfsadm encrypt command to encrypt the partially encrypted aggregate.
5. You cannot decrypt an aggregate that is in a partially compressed or partially decompressed state. In other words, if compression or decompression was interrupted for an aggregate, you cannot decrypt it.
6. After the aggregate is fully decrypted, any newly created files are not encrypted. Applications can still access the aggregate while it is being decrypted. The backup change activity flag is set if any data is decrypted.
7. Use either the zfsadm fsinfo or MODIFY FSINFO command to display whether an aggregate has been decrypted or is being decrypted. Progress of the decrypt operation can be seen in the owner status display.
8. The zfsadm fileinfo command can be used to show whether a particular file is decrypted.
9. Aggregates with active file backups cannot be decrypted.

Privilege required

Related information