I have a pool with a dataset encrypted with encfs on an older Linux (16.04). Back then ZFS did not have native encryption. I want to migrate this dataset to one with ZFS encryption on the same pool. I moved the disks to new hardware running TrueNAS Core 12.0-U2.1 and I'm having quite a challenge getting encfs to work in a jail (as apparently that's the only possible way).
What I did so far:
Researching the topic I found that in the past, it was indeed not possible to run encfs in a TrueNAS (FreeNAS) jail because it has to be jail-friendly.
Sure enough, lsvfs seems to say it is jail-friendly:
The documentation says I need to set enforce_statfs to a value lower than 2, but I have no idea where to set this.
So I think it should work, but I am just missing something. Either it's that enforce_statfs which I cannot find, or some other parameter.
I also looked at jail_zfs and jail_zfs_dataset, but that attempted to create a dataset with the same path/name that I am trying to decrypt, so I think that is to give the jail a dedicated zfs dataset, not an existing one to manage.
I also upgrade the pool in the hopes I would get access to some zfs permissions but that was a false path which became obvious when I saw I can't even mount a new empty folder with encfs in the jail.
Ultimately, what I am looking for is to migrate the data from the encfs-encrypted zfs dataset to a ZFS-encrypted dataset. If there is a better option to do this I'm willing to learn and try, otherwise, I might have to boot up a Linux machine to do the transfer.
P.S. all threads I found mentioning encfs are quite dated from the TrueNAS 11 days.
What I did so far:
- Imported the pool and the dataset and all is good there
- Create a 12.2-RELEASE-p5 jail (latest version) with allow_mount, allow_mount_fusefs, and allow_mount_zfs (probably not needed)
- Installed encfs in the jail
- When I attempt to mount an encfs file system (even brand new one) I get: mount_fusefs: /dev/fuse on /media/dest: Operation not permitted.
- I get this error if I try to mount an empty folder or the ZFS dataset mounted in the jail
Researching the topic I found that in the past, it was indeed not possible to run encfs in a TrueNAS (FreeNAS) jail because it has to be jail-friendly.
Sure enough, lsvfs seems to say it is jail-friendly:
Code:
# lsvfs Filesystem Num Refs Flags -------------------------------- ---------- ----- --------------- unionfs 0x00000041 0 loopback zfs 0x000000de 31 jail, delegated-administration fdescfs 0x00000059 2 synthetic, jail cd9660 0x000000bd 0 read-only devfs 0x00000071 2 synthetic, jail tmpfs 0x00000087 3 jail nfs 0x0000003a 0 network msdosfs 0x00000032 0 nullfs 0x00000029 1 loopback, jail ufs 0x00000035 0 procfs 0x00000002 0 synthetic, jail fusefs 0x000000ed 0 synthetic, jail
The documentation says I need to set enforce_statfs to a value lower than 2, but I have no idea where to set this.
So I think it should work, but I am just missing something. Either it's that enforce_statfs which I cannot find, or some other parameter.
I also looked at jail_zfs and jail_zfs_dataset, but that attempted to create a dataset with the same path/name that I am trying to decrypt, so I think that is to give the jail a dedicated zfs dataset, not an existing one to manage.
I also upgrade the pool in the hopes I would get access to some zfs permissions but that was a false path which became obvious when I saw I can't even mount a new empty folder with encfs in the jail.
Ultimately, what I am looking for is to migrate the data from the encfs-encrypted zfs dataset to a ZFS-encrypted dataset. If there is a better option to do this I'm willing to learn and try, otherwise, I might have to boot up a Linux machine to do the transfer.
P.S. all threads I found mentioning encfs are quite dated from the TrueNAS 11 days.