Migrating a ZFS pool to use OpenZFS encryption

Peter Jeremy peter at rulingia.com
Mon Apr 26 11:58:35 UTC 2021

I'm considering options for remote backups of a ZFS pool, without the
remote system having the decryption key, and they seem to be either:
a) Export the raw disks and locally run ZFS over geli over ggate.
b) Use ZFS send between encrypted pools.

The second option has the big advantage that I can do a scrub remotely
without the remote system needing the encryption keys.  The downside
is that the local pool also needs to be encrypted.  It's not possible
to encrypt in place (native encryption can only be enabled when a pool
is created) and there's very little information about how to get from
an unencrypted pool to a natively encrypted pool.  So far, the best
documentation I've found is
which can be summarised as "it's complicated".  (Another downside is
that native encryption is relatively new so I'm not sure how
battle-hardened it is).

Before I reinvent the wheel, has anyone done this sort of thing and
is able to offer advice from practical experience?

Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20210426/dc36749c/attachment.sig>

More information about the freebsd-fs mailing list