Andrey Kuzmin wrote: >> -----Original Message----- >> From: Darren.Moffat at Sun.COM [mailto:Darren.Moffat at Sun.COM] >> Sent: Wednesday, March 19, 2008 5:40 PM >> To: andrey.v.kuzmin at gmail.com >> Cc: zfs-code at opensolaris.org >> Subject: Re: zfs-code Digest, Vol 22, Issue 3 >> >> >> I think you have misunderstood what I'm saying, so let me give some >> examples: >> >> $ zfs create -o encryption=aes-128-ccm tank/home >> $ zfs create tank/home/darrenm >> $ zfs create -o keyscope=dataset -o keysource=passphrase,prompt \ >> tank/home/darrenm/Documents >> Enter passphrase for tank/home/darrenm/Documents: *********** >> Re-enter passphrase for tank/home/darrenm/Documents: *********** >> $ >> >> For the first two filesystems keyscope is the default which is pool. >> They just require that the pool key is available to create them. >> >> For the third case I'm inheriting the encryption property but overriding >> the keyscope to dataset and since I set keyscope I need to set keysource >> because it isn't set in any of parents to inherit it from. > > > In the third case you can do create w/o setting overridden properties to > inherit encryption, and then override necessary properties as well.
No I can't. > Or there's no way to override crypto-properties once set? You can't change the encryption property on an already created dataset - fundamental to the design. I also can't change the format part of keysource (only the locator part). The keyscope can be changed but only as part of doing an explicit 'zfs key -c -o keyscope=' which you can't do until after the dataset is created. -- Darren J Moffat
