ZFS send/rec "wpc" encrypted datasets and inherited encryption with passphrase

More of a ZFS question than truenas, but help would be appreciated.

The issue: When I send encrypted child datasets that inherit a passphrase to another ZFS pool with “wpc” I loose the “inheritance” and all datasets become key location = prompt.

I have a pool with a set of nested datasets in Truenas, where most of the child datasets inherit encryption from the parent. There are 1 or two exceptions. When I mount this this in Truenas all works well, wack in one passphrase and they all get mounted except the exceptions.

For backup I syncoid the lot to another (not truenas) ZFS with “wpc” so the properties should come across.

However attempting to mount the set on the backup site prompts for all datasets even though they should be “inherit”. Now the documentation does say if key location is not provided, it will default to passphrase. So the real question is why and how can I solve.

I assume that inherit uses “blank” for key location instead of something explicit like “inherit” which means this seems like a conflict of “blank” being assumed as inherit instead of an explicit “inherit” option (which as a programmer myself, expect always the way to go) but hey ho. not a design question , more of how to work around this.

So the question is on my “backup” set how do I mount all the datasets with a prompt for each and every dataset?

Load-key does not appear to work as the datasets now have “passphrase” set so it prompts for each and every data set?

If I was to restore this data would I know be stuck with passphrase on all datasets instead of inherit?

How can I restore the “inherit” status on all the appropriate datasets back to what they should be?

Or is there something I am doing wrong in the send/rec? I cant see it but happy to learn.

Any help will be appreciated.

Source system:

NAME PROPERTY VALUE SOURCE

xxx. keylocation none default

Backup System:

NAME PROPERTY VALUE SOURCE

xxx. keylocation prompt local

Thanks

Are you sending the encryptionroot dataset as a single “zfs send/recv” or are you sending the individual datasets underneath?

Are you passing --sendoptions="R" to the parameters? Syncoid’s “recursive” option (-r) is not a native ZFS option. I would not combine --sendoptions="R" with -r. Use the former, not the latter.

On the remote system, assuming you are using TrueNAS, you can edit the dataset encryption scheme to inherit its ancestor. For that, you will need to unlock the dataset first, then edit the encryption scheme again and select “Inherit encryption properties from parent”. Apply the new setting.

Repeat the procedure for every dataset that don’t use the “inherit” option.

Hi

It’s not truenas, but even if it was that is a pain. The whole point of “send properties” is to send the properties right? To manually fix all the data sets whenever I need to use the replication is not a great or productive way to go. Is there no way to just get it to send the properties as-is without changing things based on spurious “defaults”?

Thanks Winnielinnie,

found updated documentation on -R option and will experiment with that , Fingers crossed

You should only run the Syncoid transfer against the encryptionroot dataset, and use the --sendoptions="R" parameter without -r. You might have to start over, since you already transferred to the destination.