Hi all,
Been playing aroung using syncoid to send and restore encrypted datasets and it all works beautifully.
I have a little NAS box with an unencrypted zroot and would like to send it to a backup but have it be encrypted on the received side. (Syncoid unencrypted send/receive works fine.)
Was curious if there was a way to send an unencrypted dataset and have it be encrypted on the receive side.
If I try syncoid sendoptions=w, get an error message:
cannot receive new filesystem stream: kernel modules must be upgraded to receive this stream.
I tried syncoid --recvoptions=‘-o encryption=on -o keyformat=raw -o keylocation=file:///root/zbackup.key’
But get error:
cannot receive incremental stream: encryption property ‘keyformat’ cannot be set for incremental streams.
If I remove the keyformat, get an error:
cannot receive new filesystem stream: Keyformat required for new encryption root.
Is there some combo i’m missing?
thanks
1 Like
Yes, you absolutely can send an unencrypted stream to an encrypted destination, I have a half-dozen systems doing that daily. If the dataset which will contain the received dataset has an encryption root setup, and you ensure that the encryption-related properties from the source dataset are not sent to the destination (using -x
in zfs recv
), then the encryption properties in place at the destination will take effect as the data is received.
3 Likes
Many thanks for the reply. Tried it with the -x on the receive side and also with no extra options and it says it’s encrypted on the zbackup pool.
If I set a mountpoint (on zbackup) it mounts it automatically showing all the files. Which is great for restoring purposes. But I was hoping it would ask to load the key before mounting the files.
Played around a bit more and maybe what i am trying to do doesn’t work with unencrypted datasets.
I like the raw send, as you can treat the receiving zpool as untrusted, and can’t access the files without doing a load-key.
So much to learn!