Date: Sun, 26 Sep 2021 11:45:46 +1000 From: Peter Jeremy <peter@rulingia.com> To: freebsd-fs@freebsd.org Subject: Backing up using ZFS native encryption. Message-ID: <YU/QyuIMD1Zp1f3n@server.rulingia.com>
next in thread | raw e-mail | index | archive | help
--N/Y8tXKbRJGNLlsG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I'm trying to use ZFS native encryption to allow me to do backups to
a remote system without that system access to the backup contents.
According to the documentation, "zfs send --raw ..." can be used to
send encrypted backups but it's not clear how to create a suitable
destination pool.
Using a 13-stable system from about a week ago (g5f4ba94eb591), I've tried:
1) Creating the destination pool with encryption enabled:
# zpool create -O encryption=3Don -O keyformat=3Dpassphrase -O keylocati=
on=3Dfile:///boot/zfs/tank.key ztest1 da{0,1}p8
a) Receive without '-F' says I need to use '-F':
# zfs send -Rw tank@snapshot | zfs recv -vu ztest1=20
cannot receive new filesystem stream: destination 'ztest1' exists
must specify -F to overwrite it
b) Receive with '-F' says I can't destroy an encrypted filesystem:
# zfs send -Rw tank@snapshot | zfs recv -vuF ztest1=20
cannot receive new filesystem stream: zfs receive -F cannot be used to dest=
roy an encrypted filesystem or overwrite an unencrypted one with an encrypt=
ed one
2) Creating the destination pool without encryption:
# zpool create ztest1 da{0,1}p8
a) Receive without '-F' says I need to use '-F':
# zfs send -Rw tank@snapshot | zfs recv -vu ztest1=20
cannot receive new filesystem stream: destination 'ztest1' exists
must specify -F to overwrite it
b) Receive with '-F' says I can't overwrite unencrypted to encrypted
# zfs send -Rw tank@snapshot | zfs recv -vuF ztest1=20
cannot receive new filesystem stream: zfs receive -F cannot be used to dest=
roy an encrypted filesystem or overwrite an unencrypted one with an encrypt=
ed one
What is the magic incantation to actually create a copy of an
encrypted pool?
--=20
Peter Jeremy
--N/Y8tXKbRJGNLlsG
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmFP0MVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF
QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi
CzSgZhAAjGwIL9k//kkmgm6IUpruWrzpRax9jdNeoPBT86HBuJB9rczjkz4sUfNz
0DF7NmCZc0rS1BckGL686dqfPA3aqu+1io57/xL7pqXTmbPz+RgxeV5GL7J8LIIx
OXa3Yt8D/FGU61KxvRXRt6Ifc8XN47NCM7HWQVeQnAD+p5qiEal/9wvNDyDzKYJ6
BFcfeffc1TtlOzpvQy1dpZKpUtpCer+VVQVyjO9JiJpPCE7mYUwC+dGFWnx5pdAs
6hjDWBtzsP2E8XyL+0e5GTUUVuGpvGVxMrpyiTV4JUstoer9CMA+//3SLGyt0PGB
/5f773EanxKHLy2l0X8Mdyg5lWE+Qwfq90/r8BdLZOVZnx/VuChFg9330DHt42IL
e/ZxH/ufuBB5aqxLtDCl1uKPxPFLxHRqbKXnaAtTLqUWAag2VqddWW8v6r/jhvMc
llnMGKtc9F4GLU49Zzh6ZG0ymnDYjz/GRY2AteovX0Lcq+ENdTkqfdDpwMqa6jhF
RHOpGOkAwdrYyXmtto3Yn/wRyUpi8boBm/Tua7VivwwH99ZELUbSASMjnibUUSvn
9+4iY6pzIwcQDxX/tsCRTd7/AhMZzKbAIZxjNTA2dPns9N2Frnm+4R7OvVC96fP1
aK6HkqPn2DVxNUisWKze3yOadfUd+r7hvf18aw64VxV3y18DRC8=
=15SG
-----END PGP SIGNATURE-----
--N/Y8tXKbRJGNLlsG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YU/QyuIMD1Zp1f3n>