@winnielinnie
Thank you for your guides and explanations
I am using the subroot dataset trick successfully for Replication Tasks of zfs native encrypted pools
Replication task exp:
I noticed the following things:
That last step is really strange. Is it expected ? Is the encryption mode (key vs passphrase) switchable on the fly by a replication task ? How can the replication task do this since the target was locked and supposedly cannot be accessed without the passphrase ?
Thank you for your guides and explanations
I am using the subroot dataset trick successfully for Replication Tasks of zfs native encrypted pools
Replication task exp:
- source: mainpool/tank (zfs native encrypted, inheritance enabled)
- target: offsitepool/tank
- recursive replication
- we want to preserve the properties: check it (will force a raw send with source encryption. Currently, zfs has no implementation to send all properties except the encryption so that we can apply a custom encryption on target while preserving other properties of the dataset)
I noticed the following things:
- offsitepool must be encrypted else replication task fails. I used the same encryption key as source pool (optional)
- the dataset 'tank' must not exist on target offsitepool. It will be created by the replication task, else replication task fails
- after replication, we can unlock the target dataset 'tank' using same key as source
- we can change the the target dataset 'tank' encryption and make it inherit from offsitepool
- we can change the encryption of offsitepool to use a passphrase instead of a key
- we now lock the target offsitepool
- now, if we run the replication task again (incremental), the target datasets will revert to the same encryption key as the source, despite only incremental snapshots were sent !
That last step is really strange. Is it expected ? Is the encryption mode (key vs passphrase) switchable on the fly by a replication task ? How can the replication task do this since the target was locked and supposedly cannot be accessed without the passphrase ?