Migrating from GELI to Native ZFS Encryption

[TempleHasFallen]

Hello,

I'm looking to migrate a whole pool (raidz2) to a new set of disks (also raidz2) and retain the full configuration (shares, datasets, permissions). Re-doing permissions for all the datasets is not an option. Downtime also has to be to a bare minimum.

Previously, I was able to halt all services, zfs send+receive a snapshot of the pool and then unmount, rename the datasets and remount.

However, since my old pool is GELI encrypted and the new one is native ZFS, I am receiving the following error:

Code:

zfs send -Rv current@expansion | zfs receive -Fv temp
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one

If I am to do this per dataset, the datasets will carry over as such:

Code:

#!/bin/bash
for value in dataset1,dataset2,dataset3
do
    zfs send -Rv current/$value@migrate | zfs receive -v temp/$value
done

What is the correct way to move all datasets to a new pool while changing encryption and retaining permissions?

 

[sretalla]

ZFS replication is going to replicate the encrypted property too (and from a zfs perspective, your current pool isn't encrypted), so you're going to need to do it another way like with rsync (using the -a option to cover permissions).

Clearly you need to go ahead of yourself and create all the datasets you want first (or rsync will create subdirectories instead)

 

[TempleHasFallen]

ZFS replication is going to replicate the encrypted property too (and from a zfs perspective, your current pool isn't encrypted), so you're going to need to do it another way like with rsync (using the -a option to cover permissions).

Clearly you need to go ahead of yourself and create all the datasets you want first (or rsync will create subdirectories instead)

Is there no way to replicate without replicating all properties or omitting specific ones?

 

[sretalla]

Maybe some of the answer is in this thread:

TrueNAS 12.0 GELI to Full Drive Encryption Migration

Hi everyone, I have some questions about migrating my 11.x GELI encrypted pool to a new 12.x encrypted pool. I played with this a bit, and I know some of the features are not there yet, but want to get some advice and clarify things a bit. For reference I am mostly following this...

www.truenas.com

 

[Samuel Tai]

Alternatively, you could use @Patrick M. Hausen's post on removing GELI encryption before reimplementing your datasets as ZFS-encrypted datasets:

How to remove encryption from a ZFS volume (while keeping the data)

Hi, all, my first post - I have a little procedure to share. I successfully removed the geli encryption from a live ZFS pool in FreeNAS 9.1.1 with the following steps: 0. Make sure you either have a separate backup of your data, or are willing to take the risk of losing everything. Second...

www.truenas.com

 

[TempleHasFallen]

Thank you everyone for your assistance & replies.

As per this reply there is a way to omit the encryption when using replication, which I tested and seems to be having exactly the intended effect:

Code:

zfs send -R -v current/dataset@migrate | zfs receive -v -F -x encryption new/dataset

With the key being -x encryption to omit the encryption of the source pool.