Process of encrypting pool by replicating data?

[runevn]

I want to add encryption on my unencrypted storage pool my question is how I do it?

I have read that I can't (or it is not supported) to encrypt an existing pool, so that's not an option for me.

I have a backup Truenas SCALE system running a replication task of my primary truenas CORE device. So, my question is how should I do this process?

This is the steps I have considered, but please let me know if there is a better way:

1. Export/Take the disks from the backup system and put them in my primary system
2. Delete my unencrypted main storage pool on my primary system
3. Create a new encrypted storage pool
4. Replicate the unencrypted backup datasets to the new encrypted main storage pool.

I have the following questions:

• If I carry out this process will this preserve file permissions and SMB/NFS shares?
• Can I replicate unencrypted child datasets to an encrypted pool for dataset encryption?
• My backup pool and dataset is on a TrueNAS Scale device and my primary system is a TrueNAS Core system, could this create any issues? Or should I upgrade my core system to scale before this process?
• Is it better to just leave the backup disk in the backup device and replicate through 1G ethernet?
• Is there a CLI command that could replicate the datasets 1to1 instead of the hazzel of setting up a replication task in the GUI?

 

[Arwen]

Easiest way to do it, is create a new, encrypted dataset, and move the files over. If you have space, you can perform ZFS replication using Send & Receive.

In general, encrypting the entire pool is not needed. Simply create a new ZFS dataset that is encrypted, and put all your sensitive data their. If needed or wanted, create sub-datasets beneath that encrypted top dataset.

As for ZFS replication from the command line, it can be tricky to get the syntax right. I use something like this to replicate my Linux OS, (on ZFS root), to alternate media for both backup, and in case of recovery;

zfs snapshot -r POOL@SNAP
zfs send -Rpv POOL@SNAP | zfs receive -dFu NEW_POOL
zfs destroy -rv POOL@SNAP
zfs destroy -rv NEWPOOL@SNAP

But, that copies the entire pool, so their are tricks you have to do, to skip the new encryption dataset. I don't have them handy.


As for maintaining SMB/NFS file permissions, I doubt a simple move would do it. The ZFS Send & Receive would preserve some of it. Just have to rename datasets back to the original name.

 

[runevn]

Thanks!

I will move the disks over in my primary system and replicate the datasets.

Just another question: On my backup system and in my backup dataset there is a .system dataset. Should I leave this alone when replicating to my primary system? I can't see the .system dataset on my primary system. Is it a TrueNAS Scale type of dataset?

 

[winnielinnie]

Just another question: On my backup system and in my backup dataset there is a .system dataset. Should I leave this alone when replicating to my primary system? I can't see the .system dataset on my primary system. Is it a TrueNAS Scale type of dataset?

Skip this.

This special dataset should not be replaced / deleted on a running TrueNAS server.

It's the "System Dataset". The reason you don't see it listed on your TrueNAS Core GUI is because they hid it from the GUI. For SCALE, I guess they decided to make it visible.

You can still see it in Core like this:

Code:

zfs list -t filesystem -r mypool/.system

 

[runevn]

Skip this.

This special dataset should not be replaced / deleted on a running TrueNAS server.

It's the "System Dataset". The reason you don't see it listed on your TrueNAS Core GUI is because they hid it from the GUI. For SCALE, I guess they decided to make it visible.

You can still see it in Core like this:

Code:

zfs list -t filesystem -r mypool/.system

Thanks for the answer.

 

[runevn]

Status - I've succesful replicated and encrypted the datasets. So far, so good.

Now, I somehow accidentally deleted the SMB shares incl. my home share. The other shares I can manually recreate, but I can't recreate the home share. What am I doing wrong?

 

[winnielinnie]

Isn't that a special reserved path when you enable the "Use as Home Share" option?

That particular option can only be used on one SMB share.

 

[runevn]

I found the solution. To make it possible to select the "Use as Home Share" radio button I had to set the "Purpose" to None.