EncFS in TrueNAS Core 12.0-U2.1

[alecz]

I have a pool with a dataset encrypted with encfs on an older Linux (16.04). Back then ZFS did not have native encryption. I want to migrate this dataset to one with ZFS encryption on the same pool. I moved the disks to new hardware running TrueNAS Core 12.0-U2.1 and I'm having quite a challenge getting encfs to work in a jail (as apparently that's the only possible way).

What I did so far:

1. Imported the pool and the dataset and all is good there
2. Create a 12.2-RELEASE-p5 jail (latest version) with allow_mount, allow_mount_fusefs, and allow_mount_zfs (probably not needed)
3. Installed encfs in the jail
4. When I attempt to mount an encfs file system (even brand new one) I get: mount_fusefs: /dev/fuse on /media/dest: Operation not permitted.
5. I get this error if I try to mount an empty folder or the ZFS dataset mounted in the jail

Troubleshooting done:
Researching the topic I found that in the past, it was indeed not possible to run encfs in a TrueNAS (FreeNAS) jail because it has to be jail-friendly.
Sure enough, lsvfs seems to say it is jail-friendly:

Code:

# lsvfs
Filesystem                              Num  Refs  Flags
-------------------------------- ---------- -----  ---------------
unionfs                          0x00000041     0  loopback
zfs                              0x000000de    31  jail, delegated-administration
fdescfs                          0x00000059     2  synthetic, jail
cd9660                           0x000000bd     0  read-only
devfs                            0x00000071     2  synthetic, jail
tmpfs                            0x00000087     3  jail
nfs                              0x0000003a     0  network
msdosfs                          0x00000032     0
nullfs                           0x00000029     1  loopback, jail
ufs                              0x00000035     0
procfs                           0x00000002     0  synthetic, jail
fusefs                           0x000000ed     0  synthetic, jail

The documentation says I need to set enforce_statfs to a value lower than 2, but I have no idea where to set this.

So I think it should work, but I am just missing something. Either it's that enforce_statfs which I cannot find, or some other parameter.
I also looked at jail_zfs and jail_zfs_dataset, but that attempted to create a dataset with the same path/name that I am trying to decrypt, so I think that is to give the jail a dedicated zfs dataset, not an existing one to manage.

I also upgrade the pool in the hopes I would get access to some zfs permissions but that was a false path which became obvious when I saw I can't even mount a new empty folder with encfs in the jail.

Ultimately, what I am looking for is to migrate the data from the encfs-encrypted zfs dataset to a ZFS-encrypted dataset. If there is a better option to do this I'm willing to learn and try, otherwise, I might have to boot up a Linux machine to do the transfer.

P.S. all threads I found mentioning encfs are quite dated from the TrueNAS 11 days.

 

[dywy]

Perhaps your issue was solved already, but the following might help others.
I went through a similar journey trying to get rclone to work but fusefs would refuse
Ended-up adding "enforce_statfs": 1 to the config.json file for that particular jail as per here.
Could be that I missed something somewhere and there's a way to do it through the web GUI which would probably be a better idea.
If there's better (GUI) way, perhaps someone else could chime-in.

 

[alecz]

Thanks for the reply. I ended up booting an Ubuntu 21.04 Live USB where mounting both the ZFS and the Encfs folder is straight-forward and copied the data from the encfs folder to the encrypted ZFS dataset.

Maybe your solution will help others though.