I have a pool named ‘main’ which is currently unencrypted. Now i want everything to be encrypted and the only way is currently to move it into a new dataset which is encrypted. So i created a dataset named ‘enc’ inside my ‘main’ pool with an encryption passphrase. The pool has currently 24TB written and 16TB space left.
Question: What is the best way to move everything over to the ‘enc’ dataset.
Ideas:
ZFS rename: following this method from @winnielinnie mentioned here third post.
Move everything over but which command is the best way here?
I have 4 x 4 TB lying around, put it into the server so i can copy everything over.
I setup a test case for the first idea to check if the ‘zfs rename’ function is working fine with unencrypted dataset to an encrypted dataset. After trying it out, it seems like its working fine, the only thing which is different is that the child dataset (the renamed original one) is not encrypted, but the parent dataset is. The result can be seen here. I am not sure if this is fine…
That won’t encrypt an unencrypted dataset. The rename command does not change or touch any dataset properties.
Move everything over to where? You only have 16TB free space, but you need to move 24TB of data within the same pool
The only way to achieve this would be to destroy all snapshots and to use the mv command, instead of cp. This is a risky operation, and any regret or small mistake could permanently lose your data.
How? At best, this only yields 16TB of capacity with a non-redundant pool.
The dataset is still unencrypted. See my first comment.
So the only solution is to copy or move over dataset by dataset and delete after every copy the original dataset. All Datasets are smaller than the 16tb, so that should work out.
Just for me to understand the technicalities here:
why is the move command risky, if zfs is doing a copy-on-write?
i thought its not possible to have an unencrypted dataset with an encrypted parent dataset. Is the encryption on every dataset level? Does that mean if there is an attack and they know the address of the child dataset they can modify the files?
It’s the simplest solution. Make sure you confirm and check each dataset replication after it’s done.
Nothing to do with ZFS. When you do a file “move”, it deletes the original after it gets copied to the new dataset. If you lose power, or accidentally abort the operation, you’ll be left in a half-complete state, and you might later realize something that you didn’t think about before. Then it would become difficult to undo the “move” to your original pool’s state.
Encryption is per dataset. If a parent is encrypted, but a child is not, then yes, the files on the child dataset are easily accessible. With any Linux box, you can independently “mount” the child dataset without needing to unlock its parent.
The only relation encrypted children have to their parents is if they share a common “encryptionroot”, which allows them to be unlocked together with the same key/passphrase, seamlessly.
As for “it’s not allowed”, that’s a TrueNAS policy. The middleware tries to prevent you from doing this. Since you used the zfs rename command, you bypass the middleware. Otherwise, TrueNAS would not allow it.