Migration & Replication from and to encrypted datasets

[Johan H]

Running TrueNAS-13.0-U5.3 CORE on two servers.

Server1 is originally a FreeNAS, regularly updated during the years and therefore now a TrueNAS.
I have been using GELI encryption on the disks since the time of FreeNAS.

Server2 is completely newly installed.
Using a pool that is Passphrase-encrypted on the root dataset "Data4" and the child datasets under "Data4" would inherit the encryption from the parent.
Datasets created under Data4 does inherit the encryption.

I'm moving all my data from Server1 to Server2, using a run-once Replication task.

When doing a test, Replication of Server1/Data1/Temporary to Server2/Data4/Temporary, the task will complete, but I got this message on Server2:
"The following datasets are not encrypted but are within an encrypted dataset: 'Data4/temporary' which is not supported behaviour and may lead to various issues."
I also have an locked padlock on that replicated dataset on Server2.

Any idea why the dataset "temporary" did not enherit the encryption from it's parent Data4?
Isn't it possbile to do a Replication this way, to an encrypted dataset?

 

[winnielinnie]

Any idea why the dataset "temporary" did not enherit the encryption from it's parent Data4?
Isn't it possbile to do a Replication this way, to an encrypted dataset?

It is, but I'm not sure about the right combination of settings if you use the GUI.

In the command-line, the flag you need to use on the receiving side ("zfs recv") is -x encryption

This will ignore the encryption property (or lack thereof) from the source dataset, and inherit the encryption of the parent on the destination side.

* This cannot be done to an existing dataset on the destination. So you'll have to start all over again.

 

[Johan H]

Thanks for some pointers!

I think it's working now, after adjusting trough the GUI and "Advanced" mode in the Replication task, unchecking "Include dataset properties" seems to may have solved the issue.

Will do some more testing.

 

[winnielinnie]

unchecking "Include dataset properties" seems to may have solved the issue.

Keep in mind this also affects other dataset properties besides encryption. So make sure that the parent (on the destination) has inheritable properties that you desire for the newly migrated dataset.

 

[Johan H]

Keep in mind this also affects other dataset properties besides encryption. So make sure that the parent (on the destination) has inheritable properties that you desire for the newly migrated dataset.

Even if the "Include dataset properties" is unchecked, replicating the Server1/Data1/Temporary to Server2/Data4/Temporary, the dataset on Server2 manually created Temporary, will get it's properties of Case Sensitivity changed from "Insensitive" to "Sensitive", when the Replication is done.
So it seems like properties are still being included and transferred...

I have always had the Case Sensitivity set to "Sensitive" on the old datasets at Server1, as it was default and I didn't understand the meaning of it then.
I'm running only CIFS/SMB shares to Windows systems, so when I create new datasets today, they are set to Insensitive.
I don't know if it really matters, that the replicated datasets are Sensitive. I did not have any problems during the years on Server1, that I know of. So I guess I can leave it that way.
Searching the forum for the Sensitive vs Insensitive and Windows shares, it really not clear what the consequences are to use a dataset with sensitive settings, with a Windows share. If any? It's not clear.