What are the best practices for using syncoid with encrypted datasets?

I have an encrypted dataset in my home directory for my sensitive documents. Whats the best way to back it up to another pool using syncoid while maintaining encryption?

The structure is pool/MyUser/EncryptedDocs.

I think the first time I backed it up, it was unlocked and mounted so the backup is listed as unencrypted in the TrueNAS GUI.

If it is unlocked and I do syncoid -r mypool backuppool/mypool, it will work but the destination is unencrypted

doing syncoid --sendoptions=“w” -r mypool backuppool/mypool is the same

If it is locked, syncoid won’t back it up. If I use send options, it says it can’t put an encrypted dataset over an unencrypted one.

Whats the proper way to accomplish what I want?

1 Like

syncoid --sendoptions=w -r mypool backuppool/mypool is the correct process, but…

You must create backuppool/mypool via raw send (zfs send -w or syncoid --sendoptions=w). If it was created using zfs create (or anything other than a raw send), all future raw sends will always fail, and encryption will never work: Destroy backuppool/mypool and start over with a raw send.

A few more caveats,

  • By default, raw send doesn’t copy the keylocation property. It will default to keylocation=prompt.
    • I sometimes do my initial send using both raw and props (zfs send -w -p or syncoid --sendoptions=wp). This copies zfs properties to the destination, including the value of keylocation.
  • When the send completes,
    • The encryption key for backuppool/mypool might not not be loaded automatically. Make sure you can load the key (e.g. via zfs load-key backuppool/mypool)
    • The key must be loaded before you can mount. After the key is loaded, you may need to zfs mount on your own. (Or, load the key and mount at the same time with zfs mount -l backuppool/mypool)