Removing encryption

MrGeorge · July 2, 2025, 9:57am

Hi,

Is there a way to remove encryption from a pool please? I do have the encryption password. That’s not the issue.

Thanks,

George

swc-phil · July 2, 2025, 10:27am

Print the output of sudo zfs list -o name,encryption,keylocation -r <your-pool> please.

MrGeorge · July 2, 2025, 1:56pm

Thanks!

NAME ENCRYPTION KEYLOCATION
pool1 off none
pool1/.system off none
pool1/.system/configs-ae32c386e13840b2bf9c0083275e7941 off none
pool1/.system/cores off none
pool1/.system/netdata-ae32c386e13840b2bf9c0083275e7941 off none
pool1/.system/nfs off none
pool1/.system/samba4 off none
pool1/shares aes-256-gcm prompt
pool1/shares/data aes-256-gcm none
and a lot of directories underneath, all with the structure pool1/shares/date/ dir1…dir256 aes-256-gcm none.

swc-phil · July 2, 2025, 7:33pm

So, you wanna remove encryption from pool1/shares (and its children), right?

Aiui, you can’t really remove encryption from a dataset. You should create a new dataset (w/o encryption) and then copy the existing data. Perhaps it could be easily done with zfs replication. I can be wrong. Hope someone more proficient would help you.

QonoS · July 2, 2025, 9:19pm

That is probably the easiest way.

ZFS sending/receiving a dataset to go from encrypted to unencrypted has some limitations:

   -R, --replicate
       Generate a replication stream package, which will replicate the specified file system, and
       all descendent file systems, up to the named snapshot.  When received, all properties, snap‐
       shots, descendent file systems, and clones are preserved.

       If the -i or -I flags are used in conjunction with the -R flag, an incremental replication
       stream is generated.  The current values of properties, and current snapshot and file system
       names are set when the stream is received.  If the -F flag is specified when this stream is
       received, snapshots and file systems that do not exist on the sending side are destroyed.  If
       the -R flag is used to send encrypted datasets, then -w must also be specified.

So sending a “replication stream package” is not possible in this case. What exacly gets lost is not entirely clear imho.

MrGeorge · July 3, 2025, 12:30pm

Thank you very much. I was afraid that would be the answer.

swc-phil · July 4, 2025, 3:21pm

Why do you want to remove encryption? Are you just want to ditch entering a passphrase or to avoid some unacceptable encryption overhead (on a low-end system)?

MrGeorge · July 4, 2025, 3:54pm

It is indeed a passphrase thing. I was abroad and unreachable for the family for a couple of days. We had a violent thunderstorm and a power outage at home. The system did a shutdown (UPS), came back online on after the power was restored, and the family couldn’t access their music because they couldn’t find the procedure I left for them two years ago.

swc-phil · July 4, 2025, 4:31pm

I do believe you can switch the keylocation from prompt to file:///. And then add an init-script/job to load the key on boot. I did it (auto key load) once for proxmox with the help of this guide.