From owner-freebsd-fs@freebsd.org Mon Apr 26 11:58:35 2021 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 361D75FCDC6 for ; Mon, 26 Apr 2021 11:58:35 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vtr.rulingia.com (vtr.rulingia.com [IPv6:2001:19f0:5801:ebe:5400:1ff:fe53:30fd]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "vtr.rulingia.com", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FTNhT6hTWz3Hsr for ; Mon, 26 Apr 2021 11:58:33 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp239-208.static.internode.on.net [59.167.239.208]) by vtr.rulingia.com (8.16.1/8.15.2) with ESMTPS id 13QBwI96053117 (version=TLSv1.3 cipher=AEAD-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 26 Apr 2021 21:58:23 +1000 (AEST) (envelope-from peter@rulingia.com) DKIM-Filter: OpenDKIM Filter v2.10.3 vtr.rulingia.com 13QBwI96053117 X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.16.1/8.16.1) with ESMTPS id 13QBwCXb024110 (version=TLSv1.3 cipher=AEAD-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 26 Apr 2021 21:58:12 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.16.1/8.16.1/Submit) id 13QBwCRH024109 for freebsd-fs@freebsd.org; Mon, 26 Apr 2021 21:58:12 +1000 (AEST) (envelope-from peter) Date: Mon, 26 Apr 2021 21:58:12 +1000 From: Peter Jeremy To: freebsd-fs@freebsd.org Subject: Migrating a ZFS pool to use OpenZFS encryption Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="OFeBEMU1NA93kTsC" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp X-Rspamd-Queue-Id: 4FTNhT6hTWz3Hsr X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.10 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[rulingia.com:s=default]; FREEFALL_USER(0.00)[peter]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:19f0:5801:ebe:5400:1ff:fe53:30fd:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[rulingia.com:+]; DMARC_POLICY_ALLOW(-0.50)[rulingia.com,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:19f0:5801:ebe:5400:1ff:fe53:30fd:from]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5800::/38, country:US]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-fs] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2021 11:58:35 -0000 --OFeBEMU1NA93kTsC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm considering options for remote backups of a ZFS pool, without the remote system having the decryption key, and they seem to be either: a) Export the raw disks and locally run ZFS over geli over ggate. b) Use ZFS send between encrypted pools. The second option has the big advantage that I can do a scrub remotely without the remote system needing the encryption keys. The downside is that the local pool also needs to be encrypted. It's not possible to encrypt in place (native encryption can only be enabled when a pool is created) and there's very little information about how to get from an unencrypted pool to a natively encrypted pool. So far, the best documentation I've found is https://zfsonlinux.topicbox.com/groups/zfs-discuss/Tc9acf1bc1513ea21-M2f797= 7ea237e2f536b967a84/migration-from-unencrypted-to-encrypted-data-set which can be summarised as "it's complicated". (Another downside is that native encryption is relatively new so I'm not sure how battle-hardened it is). Before I reinvent the wheel, has anyone done this sort of thing and is able to offer advice from practical experience? --=20 Peter Jeremy --OFeBEMU1NA93kTsC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmCGqs9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzQnzQ/+OWCbxqMU9QuUT25yWNnGMZG9tbOnV/DWfU3AmimPnn/oaV2gbBYl3Akd 4rPsFgeFgJHd5QSssuEVa1QIGrzOGrl0TVRaPxdGzkHM1GlwqHLDGlhYUTZ+U7RS 6qPhiv6JkoBTVFPiJbXuoqfem6YqD1rWtXMh9ZUOhNs4SGTypzLn1fMByygRg87b GsVh+6GLRnsMB1kM3k+mPQlJZELJU9QdCEnkGjIMQxyT3NL9lOz229iN9NQUkl6H XqnY0b1XXIJ3y4H6DyKEDqf9G811j03zEOlBUqEs6o+QaVjQEuson8Ov8oT5WNkh /0ovf6xTpaftptZfuZALxmxjGgugCw87race6FUjIKl6MUjhnjJQl4qmG8yjfgI4 RnsjO19OEWcrsV8m1jp/zGr0zKWbKCzfni4knBMP//mV9LChN6dh+zY2o5at6CnZ qkItc9f/Wb+Dkc3L/mTTGBf0r3fbmEGv2T/3QMb9ATlWmL9nUb0nk3pp2tNkNzDh s93YMffQglN7c4QZpSY4YhSksBz3n38RCGiJOoK7W1sZ6ETgBGGtyiV7GBkaJuqL oEaC2/zhAFVsQ5OmOdIRfe+xGeOHcKfj0BE8E4rvUI6ZS07cUN/rL3no96wcatr1 oA7A6NeBq2g6o1l8nE8liejlfw++bVqGeWQTo4CY52S3RQtU8L0= =W7+u -----END PGP SIGNATURE----- --OFeBEMU1NA93kTsC--