From nobody Sun Sep 26 01:45:46 2021 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id ABAE417DF644 for ; Sun, 26 Sep 2021 01:46:10 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vtr.rulingia.com (vtr.rulingia.com [IPv6:2001:19f0:5801:ebe:5400:1ff:fe53:30fd]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "vtr.rulingia.com", Issuer "R3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HH7sF2k3Wz4WKD for ; Sun, 26 Sep 2021 01:46:08 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (2001-44b8-31fc-0d00-9de3-3c03-e973-46a7.static.ipv6.internode.on.net [IPv6:2001:44b8:31fc:d00:9de3:3c03:e973:46a7]) by vtr.rulingia.com (8.16.1/8.16.1) with ESMTPS id 18Q1jq4D060810 (version=TLSv1.3 cipher=AEAD-AES256-GCM-SHA384 bits=256 verify=OK) for ; Sun, 26 Sep 2021 11:45:58 +1000 (AEST) (envelope-from peter@rulingia.com) DKIM-Filter: OpenDKIM Filter v2.10.3 vtr.rulingia.com 18Q1jq4D060810 X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.16.1/8.16.1) with ESMTPS id 18Q1jkLG021949 (version=TLSv1.3 cipher=AEAD-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 26 Sep 2021 11:45:46 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.16.1/8.16.1/Submit) id 18Q1jkRC021948 for freebsd-fs@freebsd.org; Sun, 26 Sep 2021 11:45:46 +1000 (AEST) (envelope-from peter) Date: Sun, 26 Sep 2021 11:45:46 +1000 From: Peter Jeremy To: freebsd-fs@freebsd.org Subject: Backing up using ZFS native encryption. Message-ID: List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="N/Y8tXKbRJGNLlsG" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp X-Rspamd-Queue-Id: 4HH7sF2k3Wz4WKD X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=quarantine) header.from=rulingia.com; spf=pass (mx1.freebsd.org: domain of peter@rulingia.com designates 2001:19f0:5801:ebe:5400:1ff:fe53:30fd as permitted sender) smtp.mailfrom=peter@rulingia.com X-Spamd-Result: default: False [-4.95 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEFALL_USER(0.00)[peter]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCVD_COUNT_THREE(0.00)[3]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-0.05)[-0.052]; DMARC_POLICY_ALLOW(-0.50)[rulingia.com,quarantine]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5800::/38, country:US]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --N/Y8tXKbRJGNLlsG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm trying to use ZFS native encryption to allow me to do backups to a remote system without that system access to the backup contents. According to the documentation, "zfs send --raw ..." can be used to send encrypted backups but it's not clear how to create a suitable destination pool. Using a 13-stable system from about a week ago (g5f4ba94eb591), I've tried: 1) Creating the destination pool with encryption enabled: # zpool create -O encryption=3Don -O keyformat=3Dpassphrase -O keylocati= on=3Dfile:///boot/zfs/tank.key ztest1 da{0,1}p8 a) Receive without '-F' says I need to use '-F': # zfs send -Rw tank@snapshot | zfs recv -vu ztest1=20 cannot receive new filesystem stream: destination 'ztest1' exists must specify -F to overwrite it b) Receive with '-F' says I can't destroy an encrypted filesystem: # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1=20 cannot receive new filesystem stream: zfs receive -F cannot be used to dest= roy an encrypted filesystem or overwrite an unencrypted one with an encrypt= ed one 2) Creating the destination pool without encryption: # zpool create ztest1 da{0,1}p8 a) Receive without '-F' says I need to use '-F': # zfs send -Rw tank@snapshot | zfs recv -vu ztest1=20 cannot receive new filesystem stream: destination 'ztest1' exists must specify -F to overwrite it b) Receive with '-F' says I can't overwrite unencrypted to encrypted # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1=20 cannot receive new filesystem stream: zfs receive -F cannot be used to dest= roy an encrypted filesystem or overwrite an unencrypted one with an encrypt= ed one What is the magic incantation to actually create a copy of an encrypted pool? --=20 Peter Jeremy --N/Y8tXKbRJGNLlsG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmFP0MVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzSgZhAAjGwIL9k//kkmgm6IUpruWrzpRax9jdNeoPBT86HBuJB9rczjkz4sUfNz 0DF7NmCZc0rS1BckGL686dqfPA3aqu+1io57/xL7pqXTmbPz+RgxeV5GL7J8LIIx OXa3Yt8D/FGU61KxvRXRt6Ifc8XN47NCM7HWQVeQnAD+p5qiEal/9wvNDyDzKYJ6 BFcfeffc1TtlOzpvQy1dpZKpUtpCer+VVQVyjO9JiJpPCE7mYUwC+dGFWnx5pdAs 6hjDWBtzsP2E8XyL+0e5GTUUVuGpvGVxMrpyiTV4JUstoer9CMA+//3SLGyt0PGB /5f773EanxKHLy2l0X8Mdyg5lWE+Qwfq90/r8BdLZOVZnx/VuChFg9330DHt42IL e/ZxH/ufuBB5aqxLtDCl1uKPxPFLxHRqbKXnaAtTLqUWAag2VqddWW8v6r/jhvMc llnMGKtc9F4GLU49Zzh6ZG0ymnDYjz/GRY2AteovX0Lcq+ENdTkqfdDpwMqa6jhF RHOpGOkAwdrYyXmtto3Yn/wRyUpi8boBm/Tua7VivwwH99ZELUbSASMjnibUUSvn 9+4iY6pzIwcQDxX/tsCRTd7/AhMZzKbAIZxjNTA2dPns9N2Frnm+4R7OvVC96fP1 aK6HkqPn2DVxNUisWKze3yOadfUd+r7hvf18aw64VxV3y18DRC8= =15SG -----END PGP SIGNATURE----- --N/Y8tXKbRJGNLlsG--