Hello,
I'm currently struggle with the new TrueNAS encryption and the following replication for backup purpose.
My plan is to use an encrypted pool with all datasets encrypted on my TrueNAS Server. This storage should be replcated to external HDDs for backup purpose, of course encrypted. In a desaster situation the backup pool with all the datasets would be replicated back to main system. This should be done as simple as possible (replicate from storage to backup and back again with all relevant settings for the datasets). So far so good, it was no problem in FreeNAS with Geli encryption. Create 2 encrypted storages, all data in these storages are encrypted, replication works transparent regarding encryption.
I build with TrueNAS a new storage called "storage" with the new encryption and set a passphrase. Then I created datasets with encryptopn options checked "Inherit (encrypted)". "Storage" appears with a lock synbol, the datasets not. But the datasets have "encryptiopn options". So they enjoy the same encryption as the parent "storage". OK fine.
Now I want to set up the replication. Create a new pool called "ext_hdd", encrypted with passphrase.
I'm going to make some tests:
1)
Create a new poll called "ext_hdd", encrypted with passphrase.
Mark one datasets for replication
Recursive: no
Include Dataset Properties: yes (as I understand, there's now also the encryption options saved"
Full Filesystem replication: no
Doesn't work, Error:
"Destination dataset 'ext_hdd' already exists and is it's own encryption root. This configuration is not supported yet. If you want to replicate into an encrypted dataset, please, encrypt it's parent dataset."
This Message is confusing. I need to create a dataset. In this case it has an encryption, yes. This config is not supported: hm, would be probably better to use "old" Geli before implementing a new unready encryption system?!
If you want to replicate into an encrypted dataset, please, encrypt it's parent dataset: I have no idea what this message wants to tell me. I replicate into the pool root. There's no parent i can encrypt.
2)
OK, next test:
Create a new pool called "ext_hdd", NOT encrypted
Mark one datasets for replication
Recursive: no
Include Dataset Properties: yes
Full Filesystem replication: no
Doesn't work, Error:
"Unable to send encrypted dataset 'Storage/temp' to existing unencrypted or unrelated dataset 'ext_hdd'."
3)
OK, go back to encrypted ext_hdd with passphrase.
Mark one datasets for replication
Recursive: no
Include Dataset Properties: no
Full Filesystem replication: no
Destination dataset 'ext_hdd' already exists and is it's own encryption root. This configuration is not supported yet. If you want to replicate into an encrypted dataset, please, encrypt it's parent dataset.
Same Error as in 1)
4)
OK, still encrypted ext_hdd with passphrase but I mark the whole "storage" for replication.
Mark the whole "storage" with all datasets for replication
Recursive: yes
Include Dataset Properties: yes
Full Filesystem replication: no
Replication works. But every single dataset has its own lock symbol. To unlock them I need to put the passphrase in all single datasets?! This can't be the right way...
5)
In another test (I currently can't reproduce it) the result was: ext_hdd had an lock symbol and all the replicated datasets too. I then had to put into all the datasets one by one the passphrase. That was for sure not correct, too. Apart from what happens if I replicate it back in a desaster situation...
I have no ideas anymore :(
What am I douig wrong? Is this that difficult? Do I misunderstand something?
Would be very glad to get som help setting it up.
Thanks!
I'm currently struggle with the new TrueNAS encryption and the following replication for backup purpose.
My plan is to use an encrypted pool with all datasets encrypted on my TrueNAS Server. This storage should be replcated to external HDDs for backup purpose, of course encrypted. In a desaster situation the backup pool with all the datasets would be replicated back to main system. This should be done as simple as possible (replicate from storage to backup and back again with all relevant settings for the datasets). So far so good, it was no problem in FreeNAS with Geli encryption. Create 2 encrypted storages, all data in these storages are encrypted, replication works transparent regarding encryption.
I build with TrueNAS a new storage called "storage" with the new encryption and set a passphrase. Then I created datasets with encryptopn options checked "Inherit (encrypted)". "Storage" appears with a lock synbol, the datasets not. But the datasets have "encryptiopn options". So they enjoy the same encryption as the parent "storage". OK fine.
Now I want to set up the replication. Create a new pool called "ext_hdd", encrypted with passphrase.
I'm going to make some tests:
1)
Create a new poll called "ext_hdd", encrypted with passphrase.
Mark one datasets for replication
Recursive: no
Include Dataset Properties: yes (as I understand, there's now also the encryption options saved"
Full Filesystem replication: no
Doesn't work, Error:
"Destination dataset 'ext_hdd' already exists and is it's own encryption root. This configuration is not supported yet. If you want to replicate into an encrypted dataset, please, encrypt it's parent dataset."
This Message is confusing. I need to create a dataset. In this case it has an encryption, yes. This config is not supported: hm, would be probably better to use "old" Geli before implementing a new unready encryption system?!
If you want to replicate into an encrypted dataset, please, encrypt it's parent dataset: I have no idea what this message wants to tell me. I replicate into the pool root. There's no parent i can encrypt.
2)
OK, next test:
Create a new pool called "ext_hdd", NOT encrypted
Mark one datasets for replication
Recursive: no
Include Dataset Properties: yes
Full Filesystem replication: no
Doesn't work, Error:
"Unable to send encrypted dataset 'Storage/temp' to existing unencrypted or unrelated dataset 'ext_hdd'."
3)
OK, go back to encrypted ext_hdd with passphrase.
Mark one datasets for replication
Recursive: no
Include Dataset Properties: no
Full Filesystem replication: no
Destination dataset 'ext_hdd' already exists and is it's own encryption root. This configuration is not supported yet. If you want to replicate into an encrypted dataset, please, encrypt it's parent dataset.
Same Error as in 1)
4)
OK, still encrypted ext_hdd with passphrase but I mark the whole "storage" for replication.
Mark the whole "storage" with all datasets for replication
Recursive: yes
Include Dataset Properties: yes
Full Filesystem replication: no
Replication works. But every single dataset has its own lock symbol. To unlock them I need to put the passphrase in all single datasets?! This can't be the right way...
5)
In another test (I currently can't reproduce it) the result was: ext_hdd had an lock symbol and all the replicated datasets too. I then had to put into all the datasets one by one the passphrase. That was for sure not correct, too. Apart from what happens if I replicate it back in a desaster situation...
I have no ideas anymore :(
What am I douig wrong? Is this that difficult? Do I misunderstand something?
Would be very glad to get som help setting it up.
Thanks!