What confuses me is the “Encryption” toggle for destination location.
I’d like to replicate encrypted source dataset with all its children from main pool to a second local backup pool destination. For this I would expect TrueNAS to automatically make the replicated dataset encrypted as well, sending the encrypted data stream to its destination (zfs send), and no need to know key on destination.
Popup is not too helpful:
Help: Encryption
Set to use encryption when replicating data. Additional encryption options will appear.
What I discovered in the docs:
e. (Optional) Select Encryption to add a second layer of encryption over the already encrypted dataset. Source
Adding Transfer Encryption
The Encryption option adds another layer of security to replicated data by encrypting the data before transfer and decrypting it on the destination system. Selecting Encryption adds the additional setting options HEX key or PASSPHRASE. You can store the encryption key either in the TrueNAS system database or in a custom-defined location. Source
It’s still not quite clear to me. Is the toggle about
transport encryption
nested dataset encryption
Also not to be confused with point “SSH Transfer Security Encryption”
Encryption everywhere
Why do I need a “second layer” of encryption, if my dataset is already encrypted?
I am also buffled a bit by
Help: Inherit Encryption
Target dataset encryption will be inherited from its parent dataset.
Shouldn’t dataset encryption be “inherited” from the source dataset in my case?
Thanks in advance for shedding some light for a newcomer on this topic.
replicate unencrypted source dataset to encrypted destination
replicate already encrypted source dataset, but re-encrypt destination with its own separate key/passphrase
When you want to replicate an encrypted source dataset to a destination while preserving its key (destination won’t know it this way; corresponds to zfs send --raw / -w on CLI), it doesn’t make sense. TrueNAS does not permit nested encryption.
TrueNAS automatically uses --raw, when either
“Include Dataset Properties” (zfs send -p)
“Full Filesystem Replication” (zfs send -R)
is used.
Hence “Encryption” should not be visible in webinterface, if one of these options is checked. Do we already have a feature request or bug report?
If this option should be still checked, you get error
Replication “myrepltask” failed: Re-encrypting already encrypted source dataset ‘mydssource’ while preserving its properties is not supported…
at the time, when replication task is started (not after you created the task).
Btw: with Replication Task Wizard, there are no explicit GUI options for -p and -R.
But “Include Dataset Properties” / -p seems to be preset, so same rules should apply.
Dataset inheritance only works within a pool itself. In this case, it’s just offering to inherit the destination dataset’s encryption from its parent (also on the destination pool).
Heh. I don’t use the GUI for ZFS replications. I’ve found it way too rigid and vague. This is one of those reasons. Your observations are correct.
To accomplish this in the command-line, you would indeed invoke the -w and -R / -p flags. No datasets are required to be unlocked. (Neither on the source or destination.) A raw stream is sent over, and the destination cannot access the data, since the encryptionroot will be in a “locked” state.
To accomplish this in the GUI, you have to ignore (leave unchecked) anything to do with encryption in the task’s configuration. As long as the source is encrypted, and you use “Full Filesystem Replication”, it will invoke the -w and -R flags under the hood. I highly recommend a passphrase instead of a keyfile if you’re using this method.
Ohh. Aren’t these the official TrueNAS docs - or is it contributed by community?
Yeah, this makes sense.
The -p option (“Include Dataset Properties” in GUI) instead of -R (“Full Filesystem Replication”) also works and TrueNAS will use -w for encyrpted source datasets. But I guess you already mentioned that.
does only make sense in following cases: