Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Enable ZFS encrytption on existing dataset [solved - RTFM]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tenspd1370
Tux's lil' helper
Tux's lil' helper


Joined: 14 Dec 2017
Posts: 124
PostPosted: Fri Jun 21, 2019 9:03 pm    Post subject: Enable ZFS encrytption on existing dataset [solved - RTFM] Reply with quote
Hi all -

I just read about ZFS Encryption and decided to enable it in my current pool. Obviously, that just allows me to create new data sets with encryption. So far just trying to do zfs set encryption=-on <dataset> tells me encryption is read only. Is there a way to enable it on an existing dataset? Or do I need to create a new encrypted dataset and migrate it? Everything I have read would indicate that is the case, but before I go and try to figure that out, I wanted to verify that was indeed what needs to be done.

Thanks!

Last edited by tenspd1370 on Mon Jun 24, 2019 3:03 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3494
PostPosted: Fri Jun 21, 2019 10:36 pm    Post subject: Reply with quote
Encryption can only be applied when writing data, so it makes a lot of sense to only allow when you're creating a new data set (which is guaranteed to be empty at this point - e.g. no plain data has been written).
Now, it it was possible to enable encryption on an existing dataset and "convert" it in the background, how would you track encryption progress and how would you ensure the plain data is removed from your disks?

I'd say you should actually start with a new hard drive, shred it properly, and then create a whole new zpool there. And after you copy your data over to an encrypted set, shred the disks you're using right now.
Back to top
View user's profile Send private message
mrbassie
l33t
l33t


Joined: 31 May 2013
Posts: 833
Location: Go past the sign for cope, right at the sign for seethe. If you see the target you've missed it.
PostPosted: Mon Jun 24, 2019 10:21 am    Post subject: Re: Enable ZFS encrytption on existing dataset Reply with quote
tenspd1370 wrote:
Or do I need to create a new encrypted dataset and migrate it?

Thanks!


From the manpage:

Code:
encryption=off|on|aes-128-ccm|aes-192-ccm|aes-256-ccm|aes-128-gcm|aes-192-gcm|aes-256-gcm
       Controls the encryption cipher suite (block cipher, key length, and mode) used for this dataset. Requires the encryption feature to be enabled
       on the pool.  Requires a keyformat to be set at dataset creation time.
Back to top
View user's profile Send private message
tenspd1370
Tux's lil' helper
Tux's lil' helper


Joined: 14 Dec 2017
Posts: 124
PostPosted: Mon Jun 24, 2019 3:03 pm    Post subject: Reply with quote
Thanks all. I missed this part:

Code:

...
Requires a keyformat to be set at dataset creation time.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy