I'm wanting to use native ZFS encryption with one of my datasets and all of its child datasets, and I wanted to make sure I'm going about this correctly.
It's a large amount of data (something in the area of 30 TB) but fortunately I do have enough space to temporarily have the data all doubled. For this example, the dataset to be encrypted is at
1. Rename the dataset (this should affect the two child datasets too?):
2. Snapshot the dataset:
3. Send the unencrypted dataset and receive it as a new dataset with encryption and all desired properties set:
4. Delete the unencrypted dataset:
5. zeroize free space with dd:
Is my basic plan here correct? Especially with step 3, what I'm aiming for is by the time the receive is done,
Am I approaching this in a valid way? Or should it be done differently?
It's a large amount of data (something in the area of 30 TB) but fortunately I do have enough space to temporarily have the data all doubled. For this example, the dataset to be encrypted is at
pool/data
and there are two lower datasets at pool/data/one
and pool/data/two
. My tentative plan then, is to do this:1. Rename the dataset (this should affect the two child datasets too?):
# zfs rename pool/data pool/data-unenc
2. Snapshot the dataset:
# zfs snapshot -r pool/data-unenc@encryptionprep
3. Send the unencrypted dataset and receive it as a new dataset with encryption and all desired properties set:
# zfs send -R pool/data-unenc@encryptionprep | zfs receive -o encryption=on -o keyformat=passphrase -o compression=lz4 -o (and so forth for every property I want to set) pool/data
4. Delete the unencrypted dataset:
zfs destroy -r pool/data-unenc
5. zeroize free space with dd:
dd if=/dev/zero of=/data/bigfile.dd;rm /data/bigfile.dd
Is my basic plan here correct? Especially with step 3, what I'm aiming for is by the time the receive is done,
/pool/data
and all of its child datasets exist exactly as they did before I renamed the original dataset, except now it's encrypted.Am I approaching this in a valid way? Or should it be done differently?