Solved Backup unencrypted datasets into encrypted datasets

henrix

New Member


Messages: 2

This is probably a trivial question, but I'm failing to figure it out myself after reading a lot of documentation.

I've my laptop running an up-to-date 13.0-RELEASE, with zfs on top of geli. So, datasets are *not* encrypted, but encryption is done on the lower level.

I've a single snapshot in my home dataset:
Code:
# zfs list -t snapshot zroot/usr/home
NAME                              USED  AVAIL     REFER  MOUNTPOINT
zroot/usr/home@2021-10-19_13h50  2.87M      -     13.3G
which I'd like to backup into my external USB drive, which is zfs as well, but not using geli (as I'd like to share it with other non-freebsd computer). Thus, I've create the following in my external drive:
Code:
# zfs create -o encryption=on -o keyformat=passphrase backups/root
# zfs create -o encryption=on backups/root/orpheus-home
When I try to send my snapshot, here's what I see:
Code:
# zfs send -v -R zroot/usr/home@2021-10-19_13h50 | zfs recv -x encryption backups/root/orpheus-home
full send of zroot/usr/home@2021-10-19_13h50 estimated size is XXXG
total estimated size is XXXG
cannot receive new filesystem stream: destination 'backups/root/orpheus-home' exists
must specify -F to overwrite it
warning: cannot send 'zroot/usr/home@2021-10-19_13h50': signal received
Ok, let me try to use the suggested option:
Code:
# zfs send -v -R zroot/usr/home@2021-10-19_13h50 | zfs recv -F -x encryption backups/root/orpheus-home
full send of zroot/usr/home@2021-10-19_13h50 estimated size is XXXG
total estimated size is XXXG
cannot receive new filesystem stream: zfs receive -F cannot be used to destroy an encrypted filesystem or overwrite an unencrypted one with an encrypted one
warning: cannot send 'zroot/usr/home@2021-10-19_13h50': signal received
I've tried to use -o keyformat=raw -o keylocation=file://..." instead of -x encryption on the received size (after changing the key format, of course), but the result is exactly the same. And I'm puzzled, with no idea where to go from here. Is this a limitation of zfs, or is this zfs just telling me I'm doing something really stupid?

Thanks for any hint that would help me sorting this out.
 
OP
H

henrix

New Member


Messages: 2

For the record, sarnold on IRC helped me sorting this out. Solution: before the send/recv, do zfs destroy backups/root/orpheus-home. And that was it.
 

T-Daemon

Daemon

Reaction score: 943
Messages: 1,841

For the record, sarnold on IRC helped me sorting this out.
Alright, good.

I hadn't time to post earlier. I just paste the solution I had prepared as response:

Are you trying to backup the snapshot on the USB device as a live file system, or just the snapshot itself, in a file for example?
If the latter, create the encrypted dataset backups/root/orpheus-home and redirect the stream in a file:
Code:
# zfs send -vR zroot/usr/home@2021-10-19_13h50 > /backups/root/orpheus-home/2021-10-19_13h50.snap

If the case is a live system then there is no need to create a encrypted dataset beforehand for the snapshot. It will be created when zfs-receive(8)'ing:
Code:
# zfs create backups/root
# dd if=/dev/urandom of=/root/usbsnap.key bs=32 count=1
# zfs -vR zroot/usr/home@2021-10-19_13h50 | zfs recv -o keyformat=raw -o keylocation=file:///root/usbsnap.key backup/root
As key a file (example key file here usbsnap.key) must be used when zfs-send(8). A passphrase is not possible because the receive process is already using stdin for the send stream. The key file can be stored on the main system or USB device.

If one wishes to use a passphrase instead of a key file: After the stream is sent the keyformat property can be changed to passphrase and the keylocation from file:// to prompt using zfs-change-key(8):
Code:
# zfs change-key -l -o keyformat=passphrase -o keylocation=prompt backups/root/orpheus-home
 
Top