Date: Sat, 25 Sep 2021 22:04:54 -0400 From: Rich <rincebrain@gmail.com> To: Peter Jeremy <peter@rulingia.com> Cc: freebsd-fs <freebsd-fs@freebsd.org> Subject: Re: Backing up using ZFS native encryption. Message-ID: <CAOeNLupqZg38sMYAw8mPaXP28Z5v6O3VV-OpxeE1Fvixw2My5A@mail.gmail.com> In-Reply-To: <YU/QyuIMD1Zp1f3n@server.rulingia.com>
index | next in thread | previous in thread | raw e-mail
To backup the full contents of an encrypted pool, you can just receive
it into a child dataset on another pool.
You cannot overwrite an encrypted dataset in-place, or an unencrypted
one with an encrypted one, so there is no way to replicate a pool 1:1
if the encryption includes the root dataset.
This is one more reason not to put {settings,data} you care about
preserving in the root dataset.
- Rich
On Sat, Sep 25, 2021 at 9:46 PM Peter Jeremy <peter@rulingia.com> wrote:
>
> I'm trying to use ZFS native encryption to allow me to do backups to
> a remote system without that system access to the backup contents.
> According to the documentation, "zfs send --raw ..." can be used to
> send encrypted backups but it's not clear how to create a suitable
> destination pool.
>
> Using a 13-stable system from about a week ago (g5f4ba94eb591), I've tried:
> 1) Creating the destination pool with encryption enabled:
> # zpool create -O encryption=on -O keyformat=passphrase -O keylocation=file:///boot/zfs/tank.key ztest1 da{0,1}p8
> a) Receive without '-F' says I need to use '-F':
> # zfs send -Rw tank@snapshot | zfs recv -vu ztest1
> cannot receive new filesystem stream: destination 'ztest1' exists
> must specify -F to overwrite it
> b) Receive with '-F' says I can't destroy an encrypted filesystem:
> # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1
> cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
>
> 2) Creating the destination pool without encryption:
> # zpool create ztest1 da{0,1}p8
> a) Receive without '-F' says I need to use '-F':
> # zfs send -Rw tank@snapshot | zfs recv -vu ztest1
> cannot receive new filesystem stream: destination 'ztest1' exists
> must specify -F to overwrite it
> b) Receive with '-F' says I can't overwrite unencrypted to encrypted
> # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1
> cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
>
> What is the magic incantation to actually create a copy of an
> encrypted pool?
>
> --
> Peter Jeremy
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOeNLupqZg38sMYAw8mPaXP28Z5v6O3VV-OpxeE1Fvixw2My5A>