Encryption of existing dataset in ZFS (ZoL 0.8)

encryptionfilesystemszfs

Is it possible to encrypt an existing dataset (including snapshots) in ZFS on Linux >= 0.8, e.g. by using send | recv and destruction of the original dataset?

Best Answer

Yes, it is. See this simple example (tested on ZoL 0.8.3).

If you would like to use a raw keyfile (rather than a passphrase):

dd if=/dev/urandom of=/path/to/keyfile bs=32 count=1
chmod 000 /path/to/keyfile

Create a snapshot first:

zfs snapshot -r tank/home@transfer

Then, as proposed, send | recv (with replication option -R), but provide your encryption options on the receive side:

zfs send -R tank/home@transfer |
    zfs receive \
        -o encryption=aes-256-gcm \
        -o keyformat=raw \
        -o keylocation=file:///path/to/keyfile \
        tank/newhome

If the original dataset is mounted, the new one will not be mounted straightaway:

cannot mount '/tank/home': directory is not empty

Destroy the unencrypted dataset and replace it with your new one:

zfs destroy -r tank/home
zfs rename tank/newhome tank/home

If your dataset does not have any children, mounting is easy:

zfs mount tank/home

else

zfs list -rH -o name tank/home | xargs -L 1 zfs mount

(or simply zfs mount -a if you don’t have other datasets which should not be mounted).

And that was about it!

Finally, destroy the snapshot, if you like:

zfs destroy -r tank/home@transfer

Related Solutions

FreeBSD + ZFS + Encryption? Alternatives? Suggestions

You should be able to use one of the geom providers for encryption with ZFS, but you should encrypt the devices below the ZFS. I'd probably setup geli and then make a gpt partition inside of type freebsd-zfs and then go from there.

I recommend you actually test both solutions (freebsd and linux) and decide based on sys admin time and performance which makes sense for you.

Linux – Unable to zfs send | zfs receive datasets in same zpool

Several things are important here. Your errors stem from combinations of them:

Normally you send a specific snapshot or several snapshots instead of a whole file system. This means you do not need to unmount the datasets and disrupt your users, and you can incrementally send/recv later on.
If you do not specify a snapshot on the source, you will get the automatically generated snapshot @--head--, which is the state of your source at the moment of sending (if you would have sent an existing snapshot, that snapshot would take the place of @--head-- on the destination side).

The send -R | recv -F combination means full replication (recursive and including properties on source, destroy old stuff on destination), so you need to decide how to expand the file system hierarchy: you can use either -e, -d, or no flag on receiving (no flag means merging the contents under the new dataset without preserving the name of the parent dataset on the source side):

The -d and -e options cause the file system name of the target snapshot
to be determined by appending a portion of the sent snapshot's name to
the specified target filesystem.  If the -d option is specified, all
but the first element of the sent snapshot's file system path (usually
the pool name) is used and any required intermediate file systems
within the specified one are created. If the -e option is specified,
then only the last element of the sent snapshot's file system name
(i.e. the name of the source file system itself) is used as the target
file system name.

Your last idea (single send, full receive) should work (I tested it in a simple environment and it did work), but it would not be what you wanted anyway.

So, to sum it up and apply to your specific situation:

First recursively create a current snapshot or choose an older one that contains all the older stuff you want to replicate):
```
zfs snapshot -r zfs/staging.assets@now
```
Destroy any old snapshots on the destination side which are on the source side (show all snapshots with zfs list -Hr -o name -t snap zfs/choang.assets or take the hints from the error message). Alternatively destroy the destination dataset and recreate it if it does not contain anything of importance.
Send recursively and fully receive, destroying all old datasets on the second dataset, merging the sub-datasets into the destination so that they mirror the source:
```
zfs send -R zfs/staging.assets@now | zfs recv -Fu zfs/choang.assets
```

Best Answer

Related Solutions

FreeBSD + ZFS + Encryption? Alternatives? Suggestions

Linux – Unable to zfs send | zfs receive datasets in same zpool

Related Question