Replicate to dataset created with ZFS native encryption?
Posted: Fri Aug 03, 2018 9:03 am
I wanted to try out the new native encryption features of ZFS using my external disk pool. I was able to create an encrypted dataset named ELITE/HOME_BACKUP with the instructions from the wiki. I was hoping I could do a zfs send | zfs receive to transfer a snapshot to the newly created dataset, but it appears that isn't possible:
It seems like the receive operation needs to create the dataset, but then I also read that encryption needs to be specified at creation. I don't know how to do that with a passphrase, because zfs receive is expecting its input to come from the pipe of send. Is this even possible? The man page for zfs only lists '-o origin=snapshot' as the only option during a receive; does it also accept turning on encryption? Is the creation of an encrypted snapshot target only possible if you specify a file-based key? I must be missing something here.
- Code: Select all
sh-3.2# zfs send SANDISKDATA/SHOME@2013_12_user_data_SL | zfs receive ELITE/HOME_BACKUP
cannot receive new filesystem stream: destination 'ELITE/HOME_BACKUP' exists
must specify -F to overwrite it
warning: cannot send 'SANDISKDATA/SHOME@2013_12_user_data_SL': signal received
sh-3.2# zfs send SANDISKDATA/SHOME@2013_12_user_data_SL | zfs receive -F ELITE/HOME_BACKUP
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem
warning: cannot send 'SANDISKDATA/SHOME@2013_12_user_data_SL': signal received
sh-3.2#
It seems like the receive operation needs to create the dataset, but then I also read that encryption needs to be specified at creation. I don't know how to do that with a passphrase, because zfs receive is expecting its input to come from the pipe of send. Is this even possible? The man page for zfs only lists '-o origin=snapshot' as the only option during a receive; does it also accept turning on encryption? Is the creation of an encrypted snapshot target only possible if you specify a file-based key? I must be missing something here.