Homelab, Linux, JS & ABAP (~˘▾˘)~

[ZFS] Send unencrypted dataset to encrypted pool

I recently added some disks to my TrueNAS server and created a new encrypted pool named data2 on it. My old pool data was created years ago, before the zfs encryption feature was released, so it is an unencrypted pool. Now I wanted to move a dataset, i.e. photos, to my new pool data2. I tried to archieve this via TrueNAS Gui using the Replication Task, but always got errors that it’s not possible to send unencrypted data to an encrypted pool.

On Reddit I found a thread with a solution using the parameter -x encryption.

Because I prefer keeping all my snapshots when moving a dataset, I send my oldest snapshot first.

zfs send -v data/photos@manual-01-05-2019 | zfs recv -x encryption data2/photos

In the next step I created a new snapshot and did an incremental send with the parameter -I (send incremental snapshots).

zfs send -v -I data/photos@manual-01-05-2019 data/photos@manual-01-10-2020 | zfs recv -F -x encryption data2/photos

Compare the datasets with zfs diff (see example here) or use the classic diff command to compare the folders:

diff -qr /mnt/data/photos /mnt/data2/photos
#or in background
diff -qr /mnt/data/photos /mnt/data2/photos >> diff.output & disown
#check if process finished with "ps"
less diff.output

Check if all Snapshots were replicated with:

zfs list -t snapshot | grep data2/photos

After that I just changed the path for my NFS photo share and did a sudo mount -a on the clients. Now the whole dataset is moved and encrypted.

[ZFS] Encryption

Native encryption in ZFS is supported since version 0.8.0. Check your current ZFS version with:

modinfo zfs                           

First activate the encryption feature on your pool:

zpool set feature@encryption=enabled pool_name

To get an overview of all pools with enabled encryption use the following command:

zpool get all | grep encryption

To create a new encrypted dataset with a passphrase:

zfs create -o encryption=aes-256-gcm -o keyformat=passphrase pool_name/dataset_name

Check the keystatus, the current encryption type and the mountpoint with the following commands:

zfs get keystatus pool_name/dataset_name
zfs get encryption pool_name/dataset_name
zfs list pool_name/dataset_name

Change the passphrase with:

zfs change-key pool_name/dataset_name

After a reboot you first have to load your key and then mount your dataset:

zfs load-key pool_name/dataset_name
zfs mount pool_name/dataset_name

Unmount and unload your key:

zfs umount pool_name/dataset_name
zfs unload-key pool_name/dataset_name

If you are sharing this dataset via NFS, it could be necessary to restart the NFS service after mounting. I just deactivate and activate again NFS on the dataset.

zfs set sharenfs=off pool_name/dataset_name
zfs set sharenfs=on pool_name/dataset_name