Chris Tobey
Contributor
- Joined
- Feb 11, 2014
- Messages
- 114
Hi everyone,
I have some questions about migrating my 11.x GELI encrypted pool to a new 12.x encrypted pool. I played with this a bit, and I know some of the features are not there yet, but want to get some advice and clarify things a bit. For reference I am mostly following this: https://www.truenas.com/docs/hub/initial-setup/storage/encryption/
Setup:
zpool-A is a GELI encrypted pool with two datasets {mydata, iocage}.
zpool-B is a new pool that I can do whatever required with.
I want both mydata and iocage (or at least the jails) to be encrypted, so that after a power cycle they are unusable until the key is given.
I have tried creating an unencrypted zpool-B and then copying mydata over with dataset encryption, but the replication commands do not seem to like recursive operations or intermediate snapshots, and I am not sure that copying the jail would work well this way.
So I tried again, destroyed zpool-B, re-created it with full pool encryption, then replicated the datasets without encryption, and this was much nicer.
BUT - is my data actually encrypted? If I reboot, zpool-B is locked and not mounted, and I cannot see the datasets on it, once unlocked I can see them. Are the data blocks stored on disk actually encrypted if zpool-B has encryption but the child dataset does not?
Is there something better I can be doing? Is there something I should not be doing?
I have some questions about migrating my 11.x GELI encrypted pool to a new 12.x encrypted pool. I played with this a bit, and I know some of the features are not there yet, but want to get some advice and clarify things a bit. For reference I am mostly following this: https://www.truenas.com/docs/hub/initial-setup/storage/encryption/
Setup:
zpool-A is a GELI encrypted pool with two datasets {mydata, iocage}.
zpool-B is a new pool that I can do whatever required with.
I want both mydata and iocage (or at least the jails) to be encrypted, so that after a power cycle they are unusable until the key is given.
I have tried creating an unencrypted zpool-B and then copying mydata over with dataset encryption, but the replication commands do not seem to like recursive operations or intermediate snapshots, and I am not sure that copying the jail would work well this way.
# zfs send -v zpool-A/mydata@migration | zfs recv -o encryption=on -o keyformat=passphrase -o keylocation=file:///tmp/pass zpool-B/mydata
So I tried again, destroyed zpool-B, re-created it with full pool encryption, then replicated the datasets without encryption, and this was much nicer.
# zfs send -Rv zpool-A/mydata@migration | zfs recv zpool-B/mydata
BUT - is my data actually encrypted? If I reboot, zpool-B is locked and not mounted, and I cannot see the datasets on it, once unlocked I can see them. Are the data blocks stored on disk actually encrypted if zpool-B has encryption but the child dataset does not?
Is there something better I can be doing? Is there something I should not be doing?