{"id":1700,"date":"2020-12-22T10:14:47","date_gmt":"2020-12-22T16:14:47","guid":{"rendered":"https:\/\/blog.iqonda.net\/?p=1700"},"modified":"2020-12-22T10:14:47","modified_gmt":"2020-12-22T16:14:47","slug":"zfs-send-to-encrypted-volume","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/zfs-send-to-encrypted-volume\/","title":{"rendered":"ZFS Send To Encrypted Volume"},"content":{"rendered":"<h1>Replication from unencrypted to encrypted set<\/h1>\n<p>This is a POC testing ZFS (unencrypted zvols) from a server to another server (encrypted zvols). Using an old laptop as a target with the encrypted zvols.<\/p>\n<p>On the target I first replicated existing large datasets I already had from a test, to an encrypted zpool to seed the data.<\/p>\n<p><strong>WARNING<\/strong>:<\/p>\n<ul>\n<li>saving the encryption key on the file system is not safe<\/li>\n<li>losing your encryption key means losing your data permanently<\/li>\n<\/ul>\n<h2>create encrypted zvol on target<\/h2>\n<pre><code class=\"language-bash\"># zfs create -o encryption=on -o keyformat=passphrase -o keylocation=prompt TANK\/ENCRYPTED\nEnter passphrase: \nRe-enter passphrase: <\/code><\/pre>\n<h2>Seed one snapshot source DATA zvol as a test<\/h2>\n<p><strong>using 4.57G only<\/strong><\/p>\n<pre><code class=\"language-bash\"># zfs send -v TANK\/DATA@2020-12-19_06.45.01--2w | zfs recv -x encryption TANK\/ENCRYPTED\/DATA\nfull send of TANK\/DATA@2020-12-19_06.45.01--2w  estimated size is 4.52G\ntotal estimated size is 4.52G\nTIME        SENT   SNAPSHOT     TANK\/DATA@2020-12-19_06.45.01--2w\n08:39:06   34.4M   TANK\/DATA@2020-12-19_06.45.01--2w\n08:39:07    115M   TANK\/DATA@2020-12-19_06.45.01--2w\n08:39:08    279M   TANK\/DATA@2020-12-19_06.45.01--2w\n...\n08:40:49   4.52G   TANK\/DATA@2020-12-19_06.45.01--2w\n08:40:50   4.54G   TANK\/DATA@2020-12-19_06.45.01--2w\n\n# zfs list TANK\/ENCRYPTED\/DATA\nNAME                  USED  AVAIL     REFER  MOUNTPOINT\nTANK\/ENCRYPTED\/DATA  4.59G  1017G     4.57G     \/TANK\/ENCRYPTED\/DATA\n\n# zfs list -t snapshot TANK\/ENCRYPTED\/DATA\nNAME                                          USED  AVAIL     REFER     MOUNTPOINT\nTANK\/ENCRYPTED\/DATA@2020-12-19_06.45.01--2w  17.4M      -     4.57G  -<\/code><\/pre>\n<h2>Seed all snapshots source DATA zvol<\/h2>\n<p><strong>ends up using 22G<\/strong><\/p>\n<pre><code class=\"language-bash\"># zfs destroy TANK\/ENCRYPTED\/DATA\ncannot destroy 'TANK\/ENCRYPTED\/DATA': filesystem has children\nuse '-r' to destroy the following datasets:\nTANK\/ENCRYPTED\/DATA@2020-12-19_06.45.01--2w\n\n# zfs destroy -r TANK\/ENCRYPTED\/DATA\n\n# zfs send -R TANK\/DATA@2020-12-19_06.45.01--2w | zfs recv -x encryption TANK\/ENCRYPTED\/DATA\n\n# zfs list TANK\/ENCRYPTED\/DATA\nNAME                  USED  AVAIL     REFER  MOUNTPOINT\nTANK\/ENCRYPTED\/DATA  22.9G   999G     4.57G  \/TANK\/ENCRYPTED\/DATA\n\n# zfs list -t snapshot TANK\/ENCRYPTED\/DATA | tail -2\nTANK\/ENCRYPTED\/DATA@2020-12-17_06.45.01--2w  11.2M      -     4.57G  -\nTANK\/ENCRYPTED\/DATA@2020-12-19_06.45.01--2w  11.3M      -     4.57G  -<\/code><\/pre>\n<h2>Create ARCHIVE zvol<\/h2>\n<pre><code class=\"language-bash\"># zfs create -o encryption=on -o keyformat=passphrase -o keylocation=prompt TANK\/ENCRYPTED\/ARCHIVE\nEnter passphrase: \nRe-enter passphrase: <\/code><\/pre>\n<h2>Seed ARCHIVE\/MyDocuments<\/h2>\n<pre><code class=\"language-bash\"># zfs send -R TANK\/ARCHIVE\/MyDocuments@2020-12-18_20.15.01--2w | zfs recv -x encryption TANK\/ENCRYPTED\/ARCHIVE\/MyDocuments<\/code><\/pre>\n<h2>Test sending src zvol from source to target (via ssh)<\/h2>\n<p>NOTE: Loading the key manually. Will try automatically later.<\/p>\n<pre><code class=\"language-bash\">on target:\n# zfs destroy TANK\/ENCRYPTED\/ARCHIVE\/src@2020-12-19_20.15.01--2w\n\non source:\n# zfs send -i TANK\/ARCHIVE\/src@2020-12-18_20.15.01--2w TANK\/ARCHIVE\/src@2020-12-19_20.15.01--2w | ssh rrosso@192.168.1.79 sudo zfs recv -x encryption TANK\/ENCRYPTED\/ARCHIVE\/src\ncannot receive incremental stream: inherited key must be loaded\n\non target:\n# zfs load-key -r TANK\/ENCRYPTED\nEnter passphrase for 'TANK\/ENCRYPTED': \nEnter passphrase for 'TANK\/ENCRYPTED\/ARCHIVE': \n2 \/ 2 key(s) successfully loaded\n\n# zfs rollback TANK\/ENCRYPTED\/ARCHIVE\/src@2020-12-18_20.15.01--2w\n\non source:\n# zfs send -i TANK\/ARCHIVE\/src@2020-12-18_20.15.01--2w TANK\/ARCHIVE\/src@2020-12-19_20.15.01--2w | ssh rrosso@192.168.1.79 sudo zfs recv -x encryption TANK\/ENCRYPTED\/ARCHIVE\/src\n\non target:\n# zfs list -t snapshot TANK\/ENCRYPTED\/ARCHIVE\/src | tail -2\nTANK\/ENCRYPTED\/ARCHIVE\/src@2020-12-18_20.15.01--2w  1.87M      -      238M  -\nTANK\/ENCRYPTED\/ARCHIVE\/src@2020-12-19_20.15.01--2w     0B      -      238M  -<\/code><\/pre>\n<h2>Test using key from a file<\/h2>\n<p>NOTE: Do this at your own risk.  Key loading should probably be done from remote KMS or something safer.<\/p>\n<pre><code class=\"language-bash\">on target:\n# ls -l .zfs-key \n-rw-r--r-- 1 root root 9 Dec 21 12:49 .zfs-key\n\non source:\n# ssh rrosso@192.168.1.79 sudo zfs load-key -L file:\/\/\/root\/.zfs-key TANK\/ENCRYPTED\n# ssh rrosso@192.168.1.79 sudo zfs load-key -L file:\/\/\/root\/.zfs-key TANK\/ENCRYPTED\/ARCHIVE\n\non target:\n# zfs get all TANK\/ENCRYPTED | egrep \"encryption|keylocation|keyformat|encryptionroot|keystatus\"\nTANK\/ENCRYPTED  encryption            aes-256-gcm            -\nTANK\/ENCRYPTED  keylocation           prompt                 local\nTANK\/ENCRYPTED  keyformat             passphrase             -\nTANK\/ENCRYPTED  encryptionroot        TANK\/ENCRYPTED         -\nTANK\/ENCRYPTED  keystatus             available              -\n\n# zfs get all TANK\/ENCRYPTED\/ARCHIVE | egrep \"encryption|keylocation|keyformat|encryptionroot|keystatus\"\nTANK\/ENCRYPTED\/ARCHIVE  encryption            aes-256-gcm              -\nTANK\/ENCRYPTED\/ARCHIVE  keylocation           prompt                   local\nTANK\/ENCRYPTED\/ARCHIVE  keyformat             passphrase               -\nTANK\/ENCRYPTED\/ARCHIVE  encryptionroot        TANK\/ENCRYPTED\/ARCHIVE   -\nTANK\/ENCRYPTED\/ARCHIVE  keystatus             available                -<\/code><\/pre>\n<p>** now test with my replication (send\/recv) script<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Replication from unencrypted to encrypted set This is a POC testing ZFS (unencrypted zvols) from a server to another server<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"class_list":["post-1700","post","type-post","status-publish","format-standard","hentry","category-zfs"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=1700"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1700\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=1700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=1700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=1700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}