Backing up using ZFS native encryption.
- Reply: Rich : "Re: Backing up using ZFS native encryption."
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 26 Sep 2021 01:45:46 UTC
I'm trying to use ZFS native encryption to allow me to do backups to
a remote system without that system access to the backup contents.
According to the documentation, "zfs send --raw ..." can be used to
send encrypted backups but it's not clear how to create a suitable
destination pool.
Using a 13-stable system from about a week ago (g5f4ba94eb591), I've tried:
1) Creating the destination pool with encryption enabled:
# zpool create -O encryption=on -O keyformat=passphrase -O keylocation=file:///boot/zfs/tank.key ztest1 da{0,1}p8
a) Receive without '-F' says I need to use '-F':
# zfs send -Rw tank@snapshot | zfs recv -vu ztest1
cannot receive new filesystem stream: destination 'ztest1' exists
must specify -F to overwrite it
b) Receive with '-F' says I can't destroy an encrypted filesystem:
# zfs send -Rw tank@snapshot | zfs recv -vuF ztest1
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
2) Creating the destination pool without encryption:
# zpool create ztest1 da{0,1}p8
a) Receive without '-F' says I need to use '-F':
# zfs send -Rw tank@snapshot | zfs recv -vu ztest1
cannot receive new filesystem stream: destination 'ztest1' exists
must specify -F to overwrite it
b) Receive with '-F' says I can't overwrite unencrypted to encrypted
# zfs send -Rw tank@snapshot | zfs recv -vuF ztest1
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
What is the magic incantation to actually create a copy of an
encrypted pool?
--
Peter Jeremy