Possible to send unencrypted dataset to encrypted backup?

Hi all,

Been playing aroung using syncoid to send and restore encrypted datasets and it all works beautifully.

I have a little NAS box with an unencrypted zroot and would like to send it to a backup but have it be encrypted on the received side. (Syncoid unencrypted send/receive works fine.)

Was curious if there was a way to send an unencrypted dataset and have it be encrypted on the receive side.

If I try syncoid sendoptions=w, get an error message:
cannot receive new filesystem stream: kernel modules must be upgraded to receive this stream.

I tried syncoid --recvoptions=‘-o encryption=on -o keyformat=raw -o keylocation=file:///root/zbackup.key’

But get error:
cannot receive incremental stream: encryption property ‘keyformat’ cannot be set for incremental streams.

If I remove the keyformat, get an error:
cannot receive new filesystem stream: Keyformat required for new encryption root.

Is there some combo i’m missing?


1 Like

Yes, you absolutely can send an unencrypted stream to an encrypted destination, I have a half-dozen systems doing that daily. If the dataset which will contain the received dataset has an encryption root setup, and you ensure that the encryption-related properties from the source dataset are not sent to the destination (using -x in zfs recv), then the encryption properties in place at the destination will take effect as the data is received.


Many thanks for the reply. Tried it with the -x on the receive side and also with no extra options and it says it’s encrypted on the zbackup pool.

If I set a mountpoint (on zbackup) it mounts it automatically showing all the files. Which is great for restoring purposes. But I was hoping it would ask to load the key before mounting the files.

Played around a bit more and maybe what i am trying to do doesn’t work with unencrypted datasets.

I like the raw send, as you can treat the receiving zpool as untrusted, and can’t access the files without doing a load-key.

So much to learn!