Encrypting previously unencrypted data, such as a legacy ZFS pool, requires a reliable migration strategy. The most robust way to achieve this is by using the powerful ZFS data stream mechanism: zfs send and zfs recv.
The core procedure is simple: create a snapshot, transfer this snapshot, and receive it at a new, encrypted destination.
Continue reading ZFS Data Migration: Encrypting Existing Volumes with zfs send and zfs recvThis article documents the design and implementation of an external key management solution for ZFS encryption. This approach utilizes a custom PHP service to serve encryption keys on demand, specifically designed to mitigate physical and system-level compromises where local keys would fail. This deep dive explores the security architecture, the self-written PHP proof-of-concept (PoC), and the critical security caveats of building a custom Key Management System (KMS).
Continue reading ZFS Encryption: Mitigating Physical Attacks with Remote Key Management