Date: Mon, 26 Apr 2021 21:58:12 +1000 From: Peter Jeremy <peter@rulingia.com> To: freebsd-fs@freebsd.org Subject: Migrating a ZFS pool to use OpenZFS encryption Message-ID: <YIaq1BxS2HFfuVML@server.rulingia.com>
next in thread | raw e-mail | index | archive | help
--OFeBEMU1NA93kTsC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm considering options for remote backups of a ZFS pool, without the remote system having the decryption key, and they seem to be either: a) Export the raw disks and locally run ZFS over geli over ggate. b) Use ZFS send between encrypted pools. The second option has the big advantage that I can do a scrub remotely without the remote system needing the encryption keys. The downside is that the local pool also needs to be encrypted. It's not possible to encrypt in place (native encryption can only be enabled when a pool is created) and there's very little information about how to get from an unencrypted pool to a natively encrypted pool. So far, the best documentation I've found is https://zfsonlinux.topicbox.com/groups/zfs-discuss/Tc9acf1bc1513ea21-M2f797= 7ea237e2f536b967a84/migration-from-unencrypted-to-encrypted-data-set which can be summarised as "it's complicated". (Another downside is that native encryption is relatively new so I'm not sure how battle-hardened it is). Before I reinvent the wheel, has anyone done this sort of thing and is able to offer advice from practical experience? --=20 Peter Jeremy --OFeBEMU1NA93kTsC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmCGqs9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzQnzQ/+OWCbxqMU9QuUT25yWNnGMZG9tbOnV/DWfU3AmimPnn/oaV2gbBYl3Akd 4rPsFgeFgJHd5QSssuEVa1QIGrzOGrl0TVRaPxdGzkHM1GlwqHLDGlhYUTZ+U7RS 6qPhiv6JkoBTVFPiJbXuoqfem6YqD1rWtXMh9ZUOhNs4SGTypzLn1fMByygRg87b GsVh+6GLRnsMB1kM3k+mPQlJZELJU9QdCEnkGjIMQxyT3NL9lOz229iN9NQUkl6H XqnY0b1XXIJ3y4H6DyKEDqf9G811j03zEOlBUqEs6o+QaVjQEuson8Ov8oT5WNkh /0ovf6xTpaftptZfuZALxmxjGgugCw87race6FUjIKl6MUjhnjJQl4qmG8yjfgI4 RnsjO19OEWcrsV8m1jp/zGr0zKWbKCzfni4knBMP//mV9LChN6dh+zY2o5at6CnZ qkItc9f/Wb+Dkc3L/mTTGBf0r3fbmEGv2T/3QMb9ATlWmL9nUb0nk3pp2tNkNzDh s93YMffQglN7c4QZpSY4YhSksBz3n38RCGiJOoK7W1sZ6ETgBGGtyiV7GBkaJuqL oEaC2/zhAFVsQ5OmOdIRfe+xGeOHcKfj0BE8E4rvUI6ZS07cUN/rL3no96wcatr1 oA7A6NeBq2g6o1l8nE8liejlfw++bVqGeWQTo4CY52S3RQtU8L0= =W7+u -----END PGP SIGNATURE----- --OFeBEMU1NA93kTsC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YIaq1BxS2HFfuVML>