I have an encrypted dataset in my home directory for my sensitive documents. Whats the best way to back it up to another pool using syncoid while maintaining encryption?
The structure is pool/MyUser/EncryptedDocs.
I think the first time I backed it up, it was unlocked and mounted so the backup is listed as unencrypted in the TrueNAS GUI.
If it is unlocked and I do syncoid -r mypool backuppool/mypool, it will work but the destination is unencrypted
doing syncoid --sendoptions=“w” -r mypool backuppool/mypool is the same
If it is locked, syncoid won’t back it up. If I use send options, it says it can’t put an encrypted dataset over an unencrypted one.
Whats the proper way to accomplish what I want?
syncoid --sendoptions=w -r mypool backuppool/mypool is the correct process, but…
You must create
backuppool/mypool via raw send (
zfs send -w or
syncoid --sendoptions=w). If it was created using
zfs create (or anything other than a raw send), all future raw sends will always fail, and encryption will never work: Destroy
backuppool/mypool and start over with a raw send.
A few more caveats,
- By default, raw send doesn’t copy the
keylocation property. It will default to
- I sometimes do my initial send using both raw and props (
zfs send -w -p or
syncoid --sendoptions=wp). This copies zfs properties to the destination, including the value of
- When the send completes,
- The encryption key for
backuppool/mypool might not not be loaded automatically. Make sure you can load the key (e.g. via
zfs load-key backuppool/mypool)
- The key must be loaded before you can mount. After the key is loaded, you may need to
zfs mount on your own. (Or, load the key and mount at the same time with
zfs mount -l backuppool/mypool)