Problems with 2.1.6rc4 working with native encrypt dataset

Developer discussions.

Problems with 2.1.6rc4 working with native encrypt dataset

Postby Sharko » Thu Nov 03, 2022 9:16 pm

I don't think the new RC4 is working properly with encryption yet, at least with a dataset encrypted by 1.9.4:

Code: Select all
sh-3.2# zpool import SINGLE
sh-3.2# zfs mount -l SINGLE/ENCRYPTED
Enter passphrase for 'SINGLE/ENCRYPTED':
sh-3.2# zfs mount SINGLE/ENCRYPTED/HOME_BACKUP
cannot mount 'SINGLE/ENCRYPTED/HOME_BACKUP': encryption key not loaded
sh-3.2# date ; zfs send SINGLE/ENCRYPTED/HOME_BACKUP@2013_12_user_data_SL | zfs receive EXO/HOME ; date
Thu Nov  3 22:12:51 PDT 2022
warning: cannot send 'SINGLE/ENCRYPTED/HOME_BACKUP@2013_12_user_data_SL': dataset key must be loaded
cannot receive: failed to read from stream
Thu Nov  3 22:12:51 PDT 2022
sh-3.2# ls /Volumes/SINGLE/ENCRYPTED/
.Spotlight-V100      .VolumeIcon.icns   HOME_BACKUP      MACOS_ARCHIVE      MOM_BACKUP
.Trashes      .fseventsd      KIDS_IMAC_BACKUP   MEDIA_BACKUP
sh-3.2#


It sees the directories within ENCRYPTED, but it can't do anything with them. In Finder if you click on HOME_BACKUP you get a blank directory.

Do I need to upgrade the source pool SINGLE to latest format to be able to use it?
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Problems with 2.1.6rc4 working with native encrypt datas

Postby lundman » Thu Nov 03, 2022 11:15 pm

Oh that is far back. I think we should create a test 1.9.4 pool with encrypted and work out the steps to go to 2.1.6.
It should be similar to:

https://openzfsonosx.org/wiki/FAQ#Q.29_ ... pto_to_2.0

but let's test it on a non-important pool first
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Problems with 2.1.6rc4 working with native encrypt datas

Postby roemer » Fri Nov 04, 2022 5:18 am

I just tested 2.1.6rc4 on Monterey and arm64 with a natively' encrpyted pool that I originally created with zfs 1.9.4.
Works fine for me, except that reads seem slower as compared to unencrypted or when using the same pool under ZFS 1.9.4.
This might be due to the external USB enclosure though, I haven tried it yet on the internal SSD.

Does 2.1.6rc4 include the fixes for the encryption performance on arm64?
roemer
 
Posts: 73
Joined: Sat Mar 15, 2014 2:32 pm

Re: Problems with 2.1.6rc4 working with native encrypt datas

Postby Sharko » Fri Nov 04, 2022 8:44 am

Hi Mr. Lundman,

So I prepared a small test pool with encrypted dataset under 1.9.4. I put 10GB of files in it, then exported it. Took it over to my RC4 machine, imported the pool, upgraded the pool, mounted the encrypted dataset. Still no joy, no files appear in FINDER, nor do any show up using 'ls' in Terminal under the encrypted dataset.

Code: Select all
sh-3.2# zpool import TEST
sh-3.2# zpool upgrade TEST
This system supports ZFS pool feature flags.

Enabled the following features on 'TEST':
  userobj_accounting
  project_quota
  redaction_bookmarks
  redacted_datasets
  bookmark_written
  log_spacemap
  livelist
  device_rebuild
  zstd_compress
  draid
  zilsaxattr
  head_errlog
  blake3

sh-3.2# zpool status TEST
  pool: TEST
 state: ONLINE
config:

   NAME                                          STATE     READ WRITE CKSUM
   TEST                                          ONLINE       0     0     0
     media-E5E0DF0E-345B-8848-8A98-7A34BC8D9522  ONLINE       0     0     0

errors: No known data errors
sh-3.2# zfs mount -l TEST/ENCRYPTED
Enter passphrase for 'TEST/ENCRYPTED':
sh-3.2# ls /Volumes/TEST/ENCRYPTED/SMALL/       <----------------- NOTE: no files appear when I run 'ls' on directory with 10GB of data
sh-3.2# zfs list -r TEST
NAME                   USED  AVAIL  REFER  MOUNTPOINT
TEST                  10.6G   214G   536K  /Volumes/TEST
TEST/ENCRYPTED        10.6G   214G  1.09M  /Volumes/TEST/ENCRYPTED
TEST/ENCRYPTED/SMALL  10.6G   214G  10.6G  /Volumes/TEST/ENCRYPTED/SMALL
sh-3.2#


This isn't the end of the world for me; I'm fortunate to have extra disks I can use. It's just going to set me back a couple days while I erase an encrypted 4TB disk and re-create it as unencrypted. With the trouble I've seen so far on this it makes perfect sense to switch that disk to unencrypted, and not trust any old disks encrypted under 1.9.4. I'll recreate everything under 2.1.6 encryption. But I thought you should know that simply upgrading the pool isn't sufficient to allow access to an old disk encrypted under 1.9.4.

Thank you again for all your work and advice.
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Problems with 2.1.6rc4 working with native encrypt datas

Postby lundman » Fri Nov 04, 2022 6:39 pm

OK, so maybe needs a bit extra code for 1.9.4, I'll aim for RC5
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Problems with 2.1.6rc4 working with native encrypt datas

Postby lundman » Sun Nov 06, 2022 4:36 pm

Having issues replicating this, I installed 1.9.4, created a pool:

Code: Select all
# which zfs
/usr/local/bin/zfs
# zfs create -o encryption=aes-256-ccm -o keyformat=passphrase pool-1.9.4/ccm
Enter passphrase:
Re-enter passphrase:
# zfs create -o encryption=aes-256-gcm -o keyformat=passphrase pool-1.9.4/gcm
Enter passphrase:
Re-enter passphrase:
# cp libtool /Volumes/pool-1.9.4/ccm/
# cp libtool /Volumes/pool-1.9.4/gcm/
# md5 libtool
MD5 (libtool) = 37330f9801af7d5d995075188164f123
# zpool export -a


Then, installed rc4:
Code: Select all
# which zfs
/usr/local/zfs/bin/zfs

# zpool import -ld ~/ pool-1.9.4                 
as well as
# zpool import -d ~/ pool-1.9.4                 
# zfs mount -l pool-1.9.4/ccm
as well as
# zfs key-load pool-1.9.4/gcm
# zfs mount pool-1.9.4/gcm


zfs mount
pool-1.9.4                      /Volumes/pool-1.9.4
pool-1.9.4/ccm                  /Volumes/pool-1.9.4/ccm
pool-1.9.4/gcm                  /Volumes/pool-1.9.4/gcm

MD5 (/Volumes/pool-1.9.4/ccm/libtool) = 37330f9801af7d5d995075188164f123
MD5 (/Volumes/pool-1.9.4/gcm/libtool) = 37330f9801af7d5d995075188164f123


Code: Select all
# cp ~lundman/src/zfs/disk-1.9.4.img ~lundman/disk.img
# zpool import -d ~/ pool-1.9.4
# zpool upgrade pool-1.9.4
This system supports ZFS pool feature flags.

Enabled the following features on 'pool-1.9.4':
  userobj_accounting
  project_quota
  redaction_bookmarks
  redacted_datasets
  bookmark_written
  log_spacemap
  livelist
  device_rebuild
  zstd_compress
  draid
  zilsaxattr
  head_errlog
  blake3

# zfs mount -l pool-1.9.4/ccm
Enter passphrase for 'pool-1.9.4/ccm':

# zfs mount -l pool-1.9.4/gcm
Enter passphrase for 'pool-1.9.4/gcm':

# zfs mount                 
pool-1.9.4                      /Volumes/pool-1.9.4
pool-1.9.4/ccm                  /Volumes/pool-1.9.4/ccm
pool-1.9.4/gcm                  /Volumes/pool-1.9.4/gcm

# md5 /Volumes/pool-1.9.4/?cm/libtool         
MD5 (/Volumes/pool-1.9.4/ccm/libtool) = 37330f9801af7d5d995075188164f123
MD5 (/Volumes/pool-1.9.4/gcm/libtool) = 37330f9801af7d5d995075188164f123

# zpool version
zfs-macOS-2.1.6-9_g516e3c7a5
zfs-kmod-2.1.6-12_gfba35a40b


Everything appears to work as expected in Finder.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan

Re: Problems with 2.1.6rc4 working with native encrypt datas

Postby Sharko » Tue Nov 08, 2022 6:42 am

I"ll pull up the history on that other pool this evening, and see if maybe it was created/encrypted under an even earlier version, and only used most recently under 1.9.4. Thanks for checking, though, at least pools under 1.9.4 work after upgrade.

That would make this a pretty rare edge case if so.

Kurt
Sharko
 
Posts: 230
Joined: Thu May 12, 2016 12:19 pm

Re: Problems with 2.1.6rc4 working with native encrypt datas

Postby lundman » Tue Nov 08, 2022 3:37 pm

Hmm could be one of the 2.0.x releases changes it, that could be worth checking.
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan


Return to OpenZFS on OS X Development

Who is online

Users browsing this forum: No registered users and 8 guests

cron