Re: Backing up using ZFS native encryption.

In reply to: Peter Jeremy : "Backing up using ZFS native encryption."
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Rich <rincebrain_at_gmail.com>
Date: Sun, 26 Sep 2021 02:04:54 UTC

To backup the full contents of an encrypted pool, you can just receive
it into a child dataset on another pool.

You cannot overwrite an encrypted dataset in-place, or an unencrypted
one with an encrypted one, so there is no way to replicate a pool 1:1
if the encryption includes the root dataset.

This is one more reason not to put {settings,data} you care about
preserving in the root dataset.

- Rich

On Sat, Sep 25, 2021 at 9:46 PM Peter Jeremy <peter@rulingia.com> wrote:
>
> I'm trying to use ZFS native encryption to allow me to do backups to
> a remote system without that system access to the backup contents.
> According to the documentation, "zfs send --raw ..." can be used to
> send encrypted backups but it's not clear how to create a suitable
> destination pool.
>
> Using a 13-stable system from about a week ago (g5f4ba94eb591), I've tried:
> 1) Creating the destination pool with encryption enabled:
>    # zpool create -O encryption=on -O keyformat=passphrase -O keylocation=file:///boot/zfs/tank.key ztest1 da{0,1}p8
>    a) Receive without '-F' says I need to use '-F':
>       # zfs send -Rw tank@snapshot | zfs recv -vu ztest1
> cannot receive new filesystem stream: destination 'ztest1' exists
> must specify -F to overwrite it
>    b) Receive with '-F' says I can't destroy an encrypted filesystem:
>       # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1
> cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
>
> 2) Creating the destination pool without encryption:
>    # zpool create ztest1 da{0,1}p8
>    a) Receive without '-F' says I need to use '-F':
>       # zfs send -Rw tank@snapshot | zfs recv -vu ztest1
> cannot receive new filesystem stream: destination 'ztest1' exists
> must specify -F to overwrite it
>    b) Receive with '-F' says I can't overwrite unencrypted to encrypted
>       # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1
> cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
>
> What is the magic incantation to actually create a copy of an
> encrypted pool?
>
> --
> Peter Jeremy