ZFS in Solaris 11 now also offers optional on-disk encryption. Some additional coverage of this is given in Chapter 6, ZFS – Now You Can't Ignore It!. The Solaris Cryptographic Framework libraries are used for encryption purposes, so ZFS will receive the benefit of any compatible crypto acceleration present on the system.
As an additional point of interest, the inherited nature of encrypted filesystems means that if a global zone creates a /zones
filesystem, and then creates a zone with a zoneroots underneath, the zone will have the benefit of on-disk encryption without ever having direct access to the encryption key itself.
There are some gotchas to using a encrypted ZFS filesystem that should be carefully considered before using:
Once you enable encryption on a ZFS filesystem, it cannot be turned off.
Encryption will also be enabled on all subfilesystems, irrevocably.
You cannot use
zfs send
/zfs receive
for a non-encrypted ZFS destination...