Replicate to dataset created with ZFS native encryption?

New to OpenZFS on OS X (Or ZFS in general)? Ask your questions here!

Replicate to dataset created with ZFS native encryption?

Postby Sharko » Fri Aug 03, 2018 9:03 am

I wanted to try out the new native encryption features of ZFS using my external disk pool. I was able to create an encrypted dataset named ELITE/HOME_BACKUP with the instructions from the wiki. I was hoping I could do a zfs send | zfs receive to transfer a snapshot to the newly created dataset, but it appears that isn't possible:

Code: Select all
sh-3.2# zfs send SANDISKDATA/SHOME@2013_12_user_data_SL | zfs receive ELITE/HOME_BACKUP
cannot receive new filesystem stream: destination 'ELITE/HOME_BACKUP' exists
must specify -F to overwrite it
warning: cannot send 'SANDISKDATA/SHOME@2013_12_user_data_SL': signal received
sh-3.2# zfs send SANDISKDATA/SHOME@2013_12_user_data_SL | zfs receive -F ELITE/HOME_BACKUP
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem
warning: cannot send 'SANDISKDATA/SHOME@2013_12_user_data_SL': signal received
sh-3.2#


It seems like the receive operation needs to create the dataset, but then I also read that encryption needs to be specified at creation. I don't know how to do that with a passphrase, because zfs receive is expecting its input to come from the pipe of send. Is this even possible? The man page for zfs only lists '-o origin=snapshot' as the only option during a receive; does it also accept turning on encryption? Is the creation of an encrypted snapshot target only possible if you specify a file-based key? I must be missing something here.
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Replicate to dataset created with ZFS native encryption?

Postby lundman » Fri Aug 03, 2018 1:01 pm

Basically, you should use the inherit feature when receiving. So you create

ELITE/CRYPT

then you receive
ELITE/CRYPT/HOME_BACKUP

as anything "under" ELITE_CRYPT" will inherit the crypto settings and be encrypted.

In future, the "-o / -x" PR will be added and you can add options on the recv command line.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Replicate to dataset created with ZFS native encryption?

Postby Sharko » Sat Aug 04, 2018 9:06 am

Thank you! OK, that makes sense. I still have a little confusion about the last part you wrote; the -o obviously is for setting a property during a receive. Paging through the zfs man page I don't see what the -x switch is for.
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Replicate to dataset created with ZFS native encryption?

Postby lundman » Sun Aug 05, 2018 4:06 pm

https://github.com/zfsonlinux/zfs/commi ... aff23b6906

-o to add properties, and -x to remove properties you don't want, when receiving.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Replicate to dataset created with ZFS native encryption?

Postby Sharko » Thu Aug 16, 2018 6:24 am

So, I came back to this project of replication to a dataset with ZFS native encryption. I started over and followed tangles' advice from the other thread to create my main pool by removing all partitions (using gparted on a linux box, grrr), zeroing out the first 500 MB of raw data on the disks, and then giving the entire disks to zpool to create a mirror (the external drive housing is an OWC Mercury ELITE Pro Dual enclosure holding two 4TB disks, connected via ESATA). Zfs version is 1.7.2, operating system is El Capitan 10.11.6. Pool creation was successful, as was the creation of an encrypted dataset which I called ENCRYPTED. I set the properties of compression on and atime off. I then did a ZFS send of my earliest snapshot of my SHOME dataset in pool SANDISKDATA, to ELITE/ENCRYPTED/SHOME_BACKUP. That seemed to work; the disks got busy and Activity Monitor showed 150 MB/sec to 300 MB/sec being read and written.

Edit: I should add that although I'm running 1.7.2 zfs, the source pool on SANDISKDATA has not been upgraded from 1.5.2, in case that matters.

When I came back to the computer a few hours later the disk activity had stopped, and it gave me an error saying that it had been unable to mount the new dataset. When I tried to get some information about the dataset using zfs list the command hung; in fact, the whole computer was wedged: the mouse would move around, and it would respond initially to keypresses, but eventually both the Terminal and Activity Monitor went into permanent beachball status and I had to shut down the system hard.

This morning I restarted the system, and it appears that there is a dataset SHOME_BACKUP as I intended, with an appropriate amount of referred data, but it won't mount. I can unlock and mount the encrypted parent dataset ENCRYPTED, but not the child dataset SHOME_BACKUP. Am I missing something here, or should I be able to do that?

Edit 2: when I double click on the ENCRYPTED disk icon on the desktop it brings up a Finder window with 0 items (empty).

Code: Select all
sh-3.2# zpool import ELITE
sh-3.2# zpool status ELITE
  pool: ELITE
 state: ONLINE
  scan: none requested
config:

   NAME                                            STATE     READ WRITE CKSUM
   ELITE                                           ONLINE       0     0     0
     mirror-0                                      ONLINE       0     0     0
       media-242BC369-FCE9-FE46-ABF0-0A642C436300  ONLINE       0     0     0
       media-69695A64-B89B-DA4E-8C59-94537E25C1F6  ONLINE       0     0     0

errors: No known data errors
sh-3.2# zfs mount -l ELITE/ENCRYPTED
Enter passphrase for 'ELITE/ENCRYPTED':
sh-3.2# zfs mount -l ELITE/ENCRYPTED/SHOME_BACKUP
cannot mount '/Volumes/ELITE/ENCRYPTED/SHOME_BACKUP': failed to create mountpoint
sh-3.2# zfs list -r ELITE
NAME                           USED  AVAIL  REFER  MOUNTPOINT
ELITE                          369G  3.15T  1.08M  /Volumes/ELITE
ELITE/ENCRYPTED                369G  3.15T   740K  /Volumes/ELITE/ENCRYPTED
ELITE/ENCRYPTED/SHOME_BACKUP   369G  3.15T   369G  /Volumes/ELITE/ENCRYPTED/SHOME_BACKUP
sh-3.2# zfs list -t snapshot -r ELITE
NAME                                                USED  AVAIL  REFER  MOUNTPOINT
ELITE/ENCRYPTED/SHOME_BACKUP@2013_12_user_data_SL      0      -   369G  /Volumes/ELITE/ENCRYPTED/SHOME_BACKUP/.zfs/snapshot/2013_12_user_data_SL
sh-3.2# zfs get mountpoint ELITE/ENCRYPTED/SHOME_BACKUP
NAME                          PROPERTY    VALUE                                  SOURCE
ELITE/ENCRYPTED/SHOME_BACKUP  mountpoint  /Volumes/ELITE/ENCRYPTED/SHOME_BACKUP  default
sh-3.2#


Thanks for your advice!
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Replicate to dataset created with ZFS native encryption?

Postby Sharko » Thu Aug 16, 2018 7:54 pm

I had a thought... I forgot to mention that I had set the ENCRYPTED dataset to be read-only after I created it, so that it would be clean for subsequent snapshot replication. I wonder if that is the cause of the current difficulty? Perhaps zfs was unable to write something crucial in the dataset when it created ELITE/ENCRYPTED/SHOME_BACKUP?
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Replicate to dataset created with ZFS native encryption?

Postby Sharko » Fri Aug 17, 2018 7:55 am

Following up on my own previous post, it appears that YES the fact that ENCRYPTED (the parent encrypted dataset) being read-only is the problem. I set ENCRYPTED back to readonly=off, and then made a source dataset called SANDISKDATA/TEST and made several snapshots. With ELITE/ENCRYPTED writable I was able to send the first snapshot over to ELITE/ENCRYPTED/TEST_BACKUP and have it mount.

Of course when I sent the second snapshot it failed (as expected) because the Finder or OSX had changed something in the destination secretly (by creating a .DS_Store file or .fseventsd or .Trashes, probably). I just added a -F to zfs receive to force a rollback, and then the second send | receive was successful. After that I used zfs set to make TEST_BACKUP readonly, and after one more zfs receive -F I was able to send | receive without -F.

So, to sum up, don't make the parent encrypted dataset readonly; wait until after you have sent over your first snapshot to make the child dataset readonly; be prepared to use the -F flag on the second receive. Subsequent send | receive actions then can be done normally.

Perhaps someone more knowledgeable about zfs native encryption will be able to chime in and explain what exactly gets written to the parent encrypted dataset when a child encrypted dataset is created as part of a zfs receive?
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Replicate to dataset created with ZFS native encryption?

Postby lundman » Tue Aug 21, 2018 5:11 pm

That is interesting, it does seem odd that parent dataset can not be readonly
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Replicate to dataset created with ZFS native encryption?

Postby lundman » Tue Aug 21, 2018 6:04 pm

OK, so when you send the dataset over, it wants to create a directory to hold the mount, in this case "TEST_BACKUP" directory inside "ENCRYPTED".

So if this is the case, you can either pre-create the directories you will need before setting readonly. Or, alternatively, use -o mountpoint=, or canmount= properties somehow.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan


Return to Absolute Beginners Section

Who is online

Users browsing this forum: No registered users and 8 guests