From nobody Sun Sep 26 02:04:54 2021 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 87A5917E1572 for ; Sun, 26 Sep 2021 02:05:12 +0000 (UTC) (envelope-from rincebrain@gmail.com) Received: from mail-vk1-xa2b.google.com (mail-vk1-xa2b.google.com [IPv6:2607:f8b0:4864:20::a2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HH8HD3J7Gz4YqP for ; Sun, 26 Sep 2021 02:05:12 +0000 (UTC) (envelope-from rincebrain@gmail.com) Received: by mail-vk1-xa2b.google.com with SMTP id z202so5570214vkd.1 for ; Sat, 25 Sep 2021 19:05:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xVlTDk/x40aouwuGpxs2OnKvjaF3OFiLPCllW6d2Qdw=; b=JaNrZfUlh/vIv5wlfKzJzRtY8dg/VEE5/4s6rqw7wd6aCMm8GVAWwBl/B2U7PQObmC C0EzvzHD9dbyypBckeuM21oOvbPSa8kUusnIaH3nAPwYytPptdaylpRiE+0DxIDLoyHO xgFUEvXz3Y/NjT00UXm0EKB6N5h7S5Z1hKaoOZ976+fBO34nsqacu1vnspxu+4EudsyA M0G/soM64jAege11s3EweBPgV5t7SJqkMTFli6BKvwQNR93xa8OYAuxYsWoS84d138M3 wjIt8TaoPE8SJ6uHOj+IQOJ5umb7rn41yFn7uhfnfdfAFZyfCBDaejWoDAuIvBhywjg2 lxaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xVlTDk/x40aouwuGpxs2OnKvjaF3OFiLPCllW6d2Qdw=; b=74P4Uvskow3vP7SuOXoOJR1VLqVPoh/T9OJ82iPM/kXmL9cfUop77sF0iscTvxcbgY NWkJnLKI+dYknlUqI2qa+1567WfLmHNX9yF04azF9BPG6VhAsvT0iCbQdtvycZTovkPk Ew7qNDYRTnSiYn9tEvfbw4I7B+9qksXVWdd8Q/FmiOzXsFvQ3CGtSz9I1JqAxhTIbu6c WdusjZ0RykqeEXCUfzxU4HOmO+dWdhrcmHBxs+3w0qnCdrOTwQm0hGUlUhAKhpp9+4qe N/0ZSkGfOvWWLQ8Ai5c1dk0Ib8dVNwYHb5/vtAIiFoy8pDhRauCwiaXxG5cnN/aOwCfE Oyzw== X-Gm-Message-State: AOAM5309Hzq57UxQNkw7xOUY9+qlZxff3D6QOgo0jQinE4+zpBNRWDCP DrIF/1VPVmq/S3/th34RsXI69seMdy0JzR10Y87/rC/5 X-Google-Smtp-Source: ABdhPJxDT6zZEFGeqyqC+oub9gd0C0BfdwhHZ0smOOhhSAOQ5+l9PRrSQP0MBdDwLF8EGZirJe44rH0u1VQ2fYGhSUU= X-Received: by 2002:a1f:1609:: with SMTP id 9mr13271347vkw.10.1632621905690; Sat, 25 Sep 2021 19:05:05 -0700 (PDT) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rich Date: Sat, 25 Sep 2021 22:04:54 -0400 Message-ID: Subject: Re: Backing up using ZFS native encryption. To: Peter Jeremy Cc: freebsd-fs Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4HH8HD3J7Gz4YqP X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N To backup the full contents of an encrypted pool, you can just receive it into a child dataset on another pool. You cannot overwrite an encrypted dataset in-place, or an unencrypted one with an encrypted one, so there is no way to replicate a pool 1:1 if the encryption includes the root dataset. This is one more reason not to put {settings,data} you care about preserving in the root dataset. - Rich On Sat, Sep 25, 2021 at 9:46 PM Peter Jeremy wrote: > > I'm trying to use ZFS native encryption to allow me to do backups to > a remote system without that system access to the backup contents. > According to the documentation, "zfs send --raw ..." can be used to > send encrypted backups but it's not clear how to create a suitable > destination pool. > > Using a 13-stable system from about a week ago (g5f4ba94eb591), I've tried: > 1) Creating the destination pool with encryption enabled: > # zpool create -O encryption=on -O keyformat=passphrase -O keylocation=file:///boot/zfs/tank.key ztest1 da{0,1}p8 > a) Receive without '-F' says I need to use '-F': > # zfs send -Rw tank@snapshot | zfs recv -vu ztest1 > cannot receive new filesystem stream: destination 'ztest1' exists > must specify -F to overwrite it > b) Receive with '-F' says I can't destroy an encrypted filesystem: > # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1 > cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one > > 2) Creating the destination pool without encryption: > # zpool create ztest1 da{0,1}p8 > a) Receive without '-F' says I need to use '-F': > # zfs send -Rw tank@snapshot | zfs recv -vu ztest1 > cannot receive new filesystem stream: destination 'ztest1' exists > must specify -F to overwrite it > b) Receive with '-F' says I can't overwrite unencrypted to encrypted > # zfs send -Rw tank@snapshot | zfs recv -vuF ztest1 > cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one > > What is the magic incantation to actually create a copy of an > encrypted pool? > > -- > Peter Jeremy