wordpress meta
title: 'ZFS Send To Encrypted Volume'
date: '2020-12-22T10:14:47-06:00'
status: publish
permalink: /zfs-send-to-encrypted-volume
author: admin
excerpt: ''
type: post
id: 1700
category:
- ZFS
tag: []
post_format: []
title: 'ZFS Send To Encrypted Volume'
date: '2020-12-22T10:14:47-06:00'
status: publish
permalink: /zfs-send-to-encrypted-volume
author: admin
excerpt: ''
type: post
id: 1700
category:
- ZFS
tag: []
post_format: []
Replication from unencrypted to encrypted set
This is a POC testing ZFS (unencrypted zvols) from a server to another server (encrypted zvols). Using an old laptop as a target with the encrypted zvols.
On the target I first replicated existing large datasets I already had from a test, to an encrypted zpool to seed the data.
WARNING:
- saving the encryption key on the file system is not safe
- losing your encryption key means losing your data permanently
create encrypted zvol on target
```bash
zfs create -o encryption=on -o keyformat=passphrase -o keylocation=prompt TANK/ENCRYPTED
Enter passphrase: Re-enter passphrase: ````
Seed one snapshot source DATA zvol as a test
using 4.57G only
```bash
zfs send -v TANK/DATA@2020-12-19_06.45.01--2w | zfs recv -x encryption TANK/ENCRYPTED/DATA
full send of TANK/DATA@2020-12-19_06.45.01--2w estimated size is 4.52G total estimated size is 4.52G TIME SENT SNAPSHOT TANK/DATA@2020-12-19_06.45.01--2w 08:39:06 34.4M TANK/DATA@2020-12-19_06.45.01--2w 08:39:07 115M TANK/DATA@2020-12-19_06.45.01--2w 08:39:08 279M TANK/DATA@2020-12-19_06.45.01--2w ... 08:40:49 4.52G TANK/DATA@2020-12-19_06.45.01--2w 08:40:50 4.54G TANK/DATA@2020-12-19_06.45.01--2w
zfs list TANK/ENCRYPTED/DATA
NAME USED AVAIL REFER MOUNTPOINT TANK/ENCRYPTED/DATA 4.59G 1017G 4.57G /TANK/ENCRYPTED/DATA
zfs list -t snapshot TANK/ENCRYPTED/DATA
NAME USED AVAIL REFER MOUNTPOINT TANK/ENCRYPTED/DATA@2020-12-19_06.45.01--2w 17.4M - 4.57G - ````
Seed all snapshots source DATA zvol
ends up using 22G
```bash
zfs destroy TANK/ENCRYPTED/DATA
cannot destroy 'TANK/ENCRYPTED/DATA': filesystem has children use '-r' to destroy the following datasets: TANK/ENCRYPTED/DATA@2020-12-19_06.45.01--2w
zfs destroy -r TANK/ENCRYPTED/DATA
zfs send -R TANK/DATA@2020-12-19_06.45.01--2w | zfs recv -x encryption TANK/ENCRYPTED/DATA
zfs list TANK/ENCRYPTED/DATA
NAME USED AVAIL REFER MOUNTPOINT TANK/ENCRYPTED/DATA 22.9G 999G 4.57G /TANK/ENCRYPTED/DATA
zfs list -t snapshot TANK/ENCRYPTED/DATA | tail -2
TANK/ENCRYPTED/DATA@2020-12-17_06.45.01--2w 11.2M - 4.57G - TANK/ENCRYPTED/DATA@2020-12-19_06.45.01--2w 11.3M - 4.57G - ````
Create ARCHIVE zvol
```bash
zfs create -o encryption=on -o keyformat=passphrase -o keylocation=prompt TANK/ENCRYPTED/ARCHIVE
Enter passphrase: Re-enter passphrase: ````
Seed ARCHIVE/MyDocuments
```bash
zfs send -R TANK/ARCHIVE/MyDocuments@2020-12-18_20.15.01--2w | zfs recv -x encryption TANK/ENCRYPTED/ARCHIVE/MyDocuments
````
Test sending src zvol from source to target (via ssh)
NOTE: Loading the key manually. Will try automatically later.
```bash on target:
zfs destroy TANK/ENCRYPTED/ARCHIVE/src@2020-12-19_20.15.01--2w
on source:
zfs send -i TANK/ARCHIVE/src@2020-12-18_20.15.01--2w TANK/ARCHIVE/src@2020-12-19_20.15.01--2w | ssh rrosso@192.168.1.79 sudo zfs recv -x encryption TANK/ENCRYPTED/ARCHIVE/src
cannot receive incremental stream: inherited key must be loaded
on target:
zfs load-key -r TANK/ENCRYPTED
Enter passphrase for 'TANK/ENCRYPTED': Enter passphrase for 'TANK/ENCRYPTED/ARCHIVE': 2 / 2 key(s) successfully loaded
zfs rollback TANK/ENCRYPTED/ARCHIVE/src@2020-12-18_20.15.01--2w
on source:
zfs send -i TANK/ARCHIVE/src@2020-12-18_20.15.01--2w TANK/ARCHIVE/src@2020-12-19_20.15.01--2w | ssh rrosso@192.168.1.79 sudo zfs recv -x encryption TANK/ENCRYPTED/ARCHIVE/src
on target:
zfs list -t snapshot TANK/ENCRYPTED/ARCHIVE/src | tail -2
TANK/ENCRYPTED/ARCHIVE/src@2020-12-18_20.15.01--2w 1.87M - 238M - TANK/ENCRYPTED/ARCHIVE/src@2020-12-19_20.15.01--2w 0B - 238M - ````
Test using key from a file
NOTE: Do this at your own risk. Key loading should probably be done from remote KMS or something safer.
```bash on target:
ls -l .zfs-key
-rw-r--r-- 1 root root 9 Dec 21 12:49 .zfs-key
on source:
ssh rrosso@192.168.1.79 sudo zfs load-key -L file:///root/.zfs-key TANK/ENCRYPTED
ssh rrosso@192.168.1.79 sudo zfs load-key -L file:///root/.zfs-key TANK/ENCRYPTED/ARCHIVE
on target:
zfs get all TANK/ENCRYPTED | egrep "encryption|keylocation|keyformat|encryptionroot|keystatus"
TANK/ENCRYPTED encryption aes-256-gcm - TANK/ENCRYPTED keylocation prompt local TANK/ENCRYPTED keyformat passphrase - TANK/ENCRYPTED encryptionroot TANK/ENCRYPTED - TANK/ENCRYPTED keystatus available -
zfs get all TANK/ENCRYPTED/ARCHIVE | egrep "encryption|keylocation|keyformat|encryptionroot|keystatus"
TANK/ENCRYPTED/ARCHIVE encryption aes-256-gcm - TANK/ENCRYPTED/ARCHIVE keylocation prompt local TANK/ENCRYPTED/ARCHIVE keyformat passphrase - TANK/ENCRYPTED/ARCHIVE encryptionroot TANK/ENCRYPTED/ARCHIVE - TANK/ENCRYPTED/ARCHIVE keystatus available - ````
** now test with my replication (send/recv) script