On-disk encryption of a ZFS filesystem is now possible in Solaris 11 as well as with the latest patch levels of Solaris 10. There is a fair amount of flexibility in the forms available. Key length can be 128-, 192-, or 256-bit AES which, similar to a PGP key is not directly editable. Instead, the admin controls access by use of a passphrase, which is referred to as a wrapping key. The key can be in the following forms:
Entered manually
Kept in plain-text form in a file
Kept in raw form in a file (even an automounted USB stick)
PKCS local Solaris keystore (can also leverage hardware crypto devices this way)
PKCS remote keystore (accessed via HTTPS)
The first form of directly inputting a key is the easiest to set up but is the most annoying to use on a true production system. The removable media option is good if your organization is big on the physical key style of security.
Keeping the key in a separate file can be more useful than it sounds, if you use zones. It is possible to...