Encryption In most cases, files on a storage unit are not needed to be secure. Most people might believe that files on their computer are safe, especially if they enter a password to log in. In networking, a network drive, a storage drive on another system, should have permissions set that only the specific user (and administrators) can access the data. Local storage devices, those connected directly to the local computer, may not have such permissions. Another user can log into a computer and have access to nearly all the files on the local storage devices. Let’s look at an example. Suppose you have a USB thumb drive. After connecting it to a PC, you save files to the drive before logging out. Later you find that the thumb drive is missing. Anyone who finds the thumb drive and looks at the files on it can do so without problems (unless it is a file type that allows for password protection to open it). Libre Office can place passwords on documents to prevent anyone from opening them and seeing the contents. A similar problem arises with computers. If a hard disk is removed from one system and placed into another, the data is easily accessible. You may wonder how it is possible to protect the files from prying eyes. The answer is encryption. Some file systems include built-in (native) encryption. No third party utilities are needed, but they do exist for file systems that do not support encryption. Encryption is when a file is converted to another form so it is not readily accessible by common means. For example, if a text document is encrypted, it cannot be opened by a text editor and read. The file must be decrypted back into its standard format. Then opened and read. In most cases, to decrypt the file, you need a password or systems credentials (received when a user logs into an operating system). NOTE: Decryption is the process of removing the encryption so the file is in the original format. If your important files on a hard disk or USB thumb drive are encrypted, then anyone gaining access to the storage device cannot easily view the file’s true contents. There are two types of encryption which determine what files are encrypted: Disk Encryption – encrypts whole disk or partition File Encryption – encrypts individual files and folders Usually, if a whole disk should be encrypted, it will be done so when the disk or partition is created. Whether using disk or file encryption, it is like compression, it is done on the fly. That is, when files are written to the disk, they have already been encrypted. When files are read from the disk, they are decrypted before being passed to the application requiring the file. Let’s look at this with an example. If we use a word processor, such as Libre Office, to created a document and save it to disk, one of the following must be enabled: Disk encryption – the file can be saved anywhere on the disk File Encryption – the file is saved to the encrypted folder When saved, the processor will encrypt the file before it is written to disk. Let’s assume we later want to open the file. When the file is requested by the application, the system retrieves the file, checks the user’s credentials and if appropriate, the file is decrypted. After it is decrypted, the file is sent to the application needing it. As you can see, this process takes more time and resources. Be aware that encryption can degrade system performance when reading or writing encrypted files. To enable encryption on a ZFS file system dataset, use the following command when creating the dataset: Code: zfs create –o encryption=on pool/home/folder1 After the command is accepted, the user is prompted for a password, then again to confirm the password. If the two passwords match, the dataset is created. Encryption can be verified by using the following command: Code: zfs get encryption pool/home/folder1 The following should be seen confirming that encryption is enabled for the dataset: Code: NAME PROPERTY VALUE SOURCE pool/home/folder1 encryption on local Any folders created within the pool/home/folder1 dataset will automatically inherit the encryption setting. If you want to save files and they not be encrypted, they should be placed into another folder. NOTE: The boot files usually are not encrypted since the system will not load with the files encrypted.