Enable autofs

svcadm enable autofs

Navigate to the NFS share

cd /net/ip_or_fqdn/

Create a folder

mkdir backups
# I did mine like: /net/ip_or_fqdn/home/33215/backups/zpoolimgs

Create an 80gb image file

mkfile 80g /net/ip_or_fqdn/home/33215/backups/zpoolimgs/smartosbackups.img
#this might take a while

Generate your keyfile for encrypting the image file

pktool genkey keystore=file outkey=/opt/lofi.key keytype=aes keylen=256

Create an encrypted loopback device

lofiadm -c aes-256-cbc -k /opt/lofi.key -a /net/mynfsdomain.com/home/33215/backups/zpoolimgs/smartosbackups.img
# take note of the output as that is the device name, something like: /dev/lofi/2

Create a pool from that image file

zpool create testpool /dev/lofi/2

Add a test file to the pool

touch /testpool/testfile.txt

Export the pool

zpool export testpool

Disconnect the lofi device

lofiadm -d /net/mynfsdomain.com/home/33215/backups/zpoolimgs/smartosbackups.img

Quickly test the whole test process

lofiadm -c aes-256-cbc -k /opt/lofi.key -a /opt/test.img
zpool create testpool /dev/lofi/2
cd /testpool
touch testfile.txt
zpool export testpool
lofiadm -d /opt/test.img
#everything should be "unhooked"

# lets reconnect everything to see if we can read the encrypted pool
lofiadm -c aes-256-cbc -k /opt/lofi.key -a /opt/test.img
zpool import -d /dev/lofi testpool

Notes:

  • don't use lofiadm compression since it is read only... use zfs compresssion
  • You don't need to use lofiadm at all. zfs can use an image file directly and use encryption. Per the comments on http://constantin.glez.de/blog/2012/02/introducing-sparse-encrypted-zfs-pools using lofiadm's encryption will hide even the structure of your zpool from someone. If you choose to have zfs access the image file directly and use zfs encryption, someone can still see your structure, just not the data within.
  • make sure you backup your key file (lofi.key) someplace. I copied it to a local backup w/ scp
  • if you get errors...

...Like:

lofiadm: could not map file /net/ip_OR_fqdn/backups/smartosbackups.img: Device busy
cannot import 'smartosbackups': a pool with that name is already created/imported,
and no additional pools with that name were found
  • That probably means lofiadm is already using your imgfile and you alreay have it imported with zpool.

references: