Some questions about ZFS encryption

Hello,

I am currently using ZFS on linux without encryption. I want to migrate some datasets to be encrypted.

Currently the datasets I want to encrypt are as follows:

rpool/stuff (empty)
rpool/stuff/a
rpool/stuff/b
rpool/stuff/c
rpool/stuff/c/main
rpool/stuff/c/extra

There are other datasets under rpool as well which I want to remain unencrypted.
I use sanoid and syncoid to maintain historical snapshots of the datasets.
What is the best way to change “stuff” and all its child datasets to be encrypted?

I was thinking of the following method:

  1. Create snapshot of rpool/stuff.
  2. Create new encrypted dataset rpool/stuff-enc
  3. zfs send snapshot created in step 1 to the new dataset (rpool/stuff-enc)
  4. Delete unencrypted stuff dataset
  5. Rename stuff-enc dataset to stuff

Does this sound like an appropriate method?
Do I need to create the child datasets in step 2 or just the root one (rpool/stuff-enc)?
Will this retain all the historical snapshots created using sanoid?

Thanks in advance for any advice!

You don’t need to create the child datasets, just the encrypted parent dataset.

You’ll retain the entire snapshot stream, if you use syncoid for the replication.

I strongly recommend learning how to unload the encryption key, so that you can test and verify that your newly replicated-in copies under the encrypted parent are, in fact, encrypted. If you can still read the data without the key loaded…

3 Likes

Thanks for the reply and advice Jim, I am going to give it a go this weekend.

P.S. Have been listening to you on 2.5 admins since episode 1, very enjoyable.

Cheers

1 Like