I’m a lurker but finally had a question pop up from a previous post here that I’m guessing could be answered well here. Recently I migrated all my data to use native zfs encryption so I could do zfs send to untrusted storage. I haven’t started those sends, but so far everything seems to be working with my datasets encrypted. I kept the unencrypted datasets “just in case”, but they’ve been unused/unmounted. So after reading the post Is native encryption ready for production use? and knowing that I do a lot of zfs sends… It seems best to not have this data using native zfs encryption, it’s my family photo archive and documents, important stuff. I do have borgbackup running on the side.
I’m thinking since I kept my original unencrypted zfs datasets, that I can do an incremental send from the encrypted dataset to the unencrypted ones, so the only data moved is what was added since I started encryption. I’ve started this and it appears to be working, on a couple small datasets I’ve done zfs diff as well and that seems sane. My main concern is any silent corruption, and looking through the google sheet of zfs native encryption bugs, it didn’t appear that my case matched any of those… so just a couple questions.
- Is moving off of zfs native encryption for data I care about recommended? Based on the referenced post, I’m 95% this is “yes”
- Any obvious problems with my method to do an incremental send from the encrypted dataset to the previously used unencrypted dataset and then essentially promote that up?
- Is there a way to have my datasets unencrypted, but send them encrypted to untrusted storage? Nowhere crazy, just something like https://zfs.rent.
I appreciate any help