Backing up using ZFS native encryption.

From: Peter Jeremy <peter_at_rulingia.com>
Date: Sun, 26 Sep 2021 11:45:46 +1000
I'm trying to use ZFS native encryption to allow me to do backups to
a remote system without that system access to the backup contents.
According to the documentation, "zfs send --raw ..." can be used to
send encrypted backups but it's not clear how to create a suitable
destination pool.

Using a 13-stable system from about a week ago (g5f4ba94eb591), I've tried:
1) Creating the destination pool with encryption enabled:
   # zpool create -O encryption=on -O keyformat=passphrase -O keylocation=file:///boot/zfs/tank.key ztest1 da{0,1}p8
   a) Receive without '-F' says I need to use '-F':
      # zfs send -Rw tank_at_snapshot | zfs recv -vu ztest1 
cannot receive new filesystem stream: destination 'ztest1' exists
must specify -F to overwrite it
   b) Receive with '-F' says I can't destroy an encrypted filesystem:
      # zfs send -Rw tank_at_snapshot | zfs recv -vuF ztest1 
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one

2) Creating the destination pool without encryption:
   # zpool create ztest1 da{0,1}p8
   a) Receive without '-F' says I need to use '-F':
      # zfs send -Rw tank_at_snapshot | zfs recv -vu ztest1 
cannot receive new filesystem stream: destination 'ztest1' exists
must specify -F to overwrite it
   b) Receive with '-F' says I can't overwrite unencrypted to encrypted
      # zfs send -Rw tank_at_snapshot | zfs recv -vuF ztest1 
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one

What is the magic incantation to actually create a copy of an
encrypted pool?

-- 
Peter Jeremy

Received on Sun Sep 26 2021 - 01:45:46 UTC

Original text of this message