"Encryption Key Life Cycle" on page 585
■
Encryption Key Life Cycle
The encryption key life cycle is flexible because you can change keys at any time without
taking data services offline.
When a key is deleted from the keystore, all the shares that use it are unmounted and their
data becomes inaccessible. Backing up keys in the OKM keystore should be performed using
the OKM backup services. Backup of keys in the LOCAL keystore is included as part of the
System Configuration Backup. For the LOCAL keystore, it is also possible to supply the key
by value at creation time to allow it to be escrowed in an external system, which provides an
alternative per-key backup/restore capability.
Related Topics
"Data Encryption Workflow" on page 560
■
"Encryption Properties" on page 581
■
"Managing Encryption Keys" on page 582
■
"Performance Impact of Encryption" on page 584
■
Backing up and Restoring Encrypted Data
When a share is restored using the ZFS restore function, the restored share inherits the
encryption properties of the target project if the original share inherited its encryption properties
from the source project.
To ensure encryption properties of an original share are maintained in a restored share,
configure encryption on the original share instead of inheriting it from its project.
If you want to set encryption differently for an individual share within a project, manually
configure encryption for the individual source share, instead of letting the share inherit its
properties from the project. This ensures that all shares are backed up and restored with the
desired encryption settings.
For more information about NDMP backup, see
information about replication, see
Related Topics
"Data Encryption Workflow" on page 560
■
"NDMP Configuration" on page
"Remote Replication" on page
Encryption Key Life Cycle
267. For
469.
Data Encryption
585