Encryption and replication

[infinitytec]

I have scheduled snapshots and replication tasks to copy data from my main dataset onto an external drive.


My main dataset looked something like this:

Main (unencrypted)
-Sub1 (unencrypted)
-Sub2 (unencrypted)

And the backup drive looks like this:

Backup (encryption root)
-Main (inherited encryption)
--Sub1 (inherited encryption)
--Sub2 (inherited encryption)


I recently made a new dataset in my main dataset. I'll call it Sub3 for example.

Now they look like this:

Main dataset:


Main (unencrypted)
-Sub1 (unencrypted)
-Sub2 (unencrypted)
-Sub3 (unencrypted)

And the backup drive looks like this:

Backup (encryption root)
-Main (inherited encryption)
--Sub1 (inherited encryption)
--Sub2 (inherited encryption)
--Sub3 (unencrypted)

Any ideas how I can get Sub3 to inherit encryption properties?

The Sub ones also all have this:

Except for Sub3 which does not.


Thanks.

 

[infinitytec]

My main reason for wanting this data encrypted is I can take this data offsite. I use a more or less identical system for a drive stored offsite and out of my complete control.

 

[winnielinnie]

Any ideas how I can get Sub3 to inherit encryption properties?

Are you using the same configuration as you're using for Sub1 and Sub2?

How did you configure the previous replication task? Is it one single task that recursively replicates "Main"? If so, would that not also replicate Sub3, without requiring an additional replication task?

 

[infinitytec]

Are you using the same configuration as you're using for Sub1 and Sub2?

How did you configure the previous replication task? Is it one single task that recursively replicates "Main"? If so, would that not also replicate Sub3, without requiring an additional replication task?

Yes, same configuration.

That is how my replication task is configured. It is replicating Sub3 without an extra task. The difference is Sub1 and Sub2 are encrypted and Sub3 is not.

 

[winnielinnie]

Can you share the full configuration of the replication task? (Whether screenshotted or written out)?

 

[infinitytec]

Hopefully this is clear enough.

For what it's worth, I've tried it with and without checking the box for encryption.

 

[winnielinnie]

I've tried it with and without checking the box for encryption.

When was this?

What about the very first time you ran the task?

What does this reveal about the source and destination?

Code:

zfs list -t filesystem -r -o name,encryptionroot NameOfSourcePool
zfs list -t filesystem -r -o name,encryptionroot NameOfBackupPool

 

[infinitytec]

When was this?

What about the very first time you ran the task?

What does this reveal about the source and destination?

Code:

zfs list -t filesystem -r -o name,encryptionroot NameOfSourcePool
zfs list -t filesystem -r -o name,encryptionroot NameOfBackupPool

First time I ran it with Sub3 existing I had the encryption box checked. I can't recall for the first time I ran the replication ever.

Code:

zfs list -t filesystem -r -o name,encryptionroot Main
NAME                 ENCROOT
Main            -
Main/Sub1        -
Main/Sub2        -
Main/Sub3        -



zfs list -t filesystem -r -o name,encryptionroot Backup
NAME                ENCROOT
Backup                Backup
Backup/Backup        Backup
Backup/Backup/Sub1    Backup
Backup/Backup/Sub2    Backup
Backup/Backup/Sub3    -

 

[winnielinnie]

The problem with the GUI is that it's not clear what's "really" happening.

You might have to enter encryption for the "Properties Override" and "Properties Exclude" fields. Though, the documentation is not clear if they can work with encryption.


Apparently, the first time you ever ran this task, it had the newly created datasets (on the destination) inherit the encryptionroot of "Backup".


However, the GUI isn't so graceful when you add more child datasets into the mix of an existing task. Technically, you shouldn't even be able to send anything to the target if "Backup" is locked. (Since you're not using a "raw stream".)


You may have to use the command-line to send over the "Sub3" dataset, forcing it to inherit the encryptionroot property of "Backup". But now you're getting into precarious territory.

 

[infinitytec]

You may have to use the command-line to send over the "Sub3" dataset, forcing it to inherit the encryptionroot property of "Backup". But now you're getting into precarious territory.

Any suggestion on how I may be able to do this?

 

[winnielinnie]

Assuming "Sub3" no longer exists on the target pool.

As the root user.

Make a checkpoint for both pools.

Code:

zpool checkpoint Main
zpool checkpoint Backup

Confirm that there is a size listed under the "SIZE" column for the pools in question.

Code:

zpool get checkpoint

Do not save or work on anything during this. Do not create new files. Do not edit any files. You will lose them if you end up having to rewind to a checkpoint.


If it's a large initial transfer, you might want to use "tmux" to run it in a background session that you can exit without terminating the process.

Code:

tmux new

Then send it over, excluding the encryption property, and tell the destination to inherit the property from its parent.

Code:

zfs send -v -R Main/Sub3@nameoflatestsnap_2023-10-01 | zfs recv -v -s -x encryption Backup/Backup/Sub3

Change @nameoflatestsnap_2023-10-01 to whatever is the most recent snapshot's name.

You can use CTRL + B and then press D to leave a tmux session. To re-enter the session, use tmux attach command.

If it completes, and everything looks good, you can delete the checkpoints and make sure they're gone. (They should have an empty field under the "SIZE" column).

Code:

zpool checkpoint -d Main
zpool checkpoint -d Backup
zpool get checkpoint

I hold no responsibility for any damages... proceed with utmost caution.

 

[infinitytec]

Assuming "Sub3" no longer exists on the target pool.

As the root user.

Make a checkpoint for both pools.

Code:

zpool checkpoint Main
zpool checkpoint Backup

Confirm that there is a size listed under the "SIZE" column for the pools in question.

Code:

zpool get checkpoint

Do not save or work on anything during this. Do not create new files. Do not edit any files. You will lose them if you end up having to rewind to a checkpoint.


If it's a large initial transfer, you might want to use "tmux" to run it in a background session that you can exit without terminating the process.

Code:

tmux new

Then send it over, excluding the encryption property, and tell the destination to inherit the property from its parent.

Code:

zfs send -v -R Main/Sub3@nameoflatestsnap_2023-10-01 | zfs recv -v -s -x encryption Backup/Backup/Sub3

Change @nameoflatestsnap_2023-10-01 to whatever is the most recent snapshot's name.

You can use CTRL + B and then press D to leave a tmux session. To re-enter the session, use tmux attach command.

If it completes, and everything looks good, you can delete the checkpoints and make sure they're gone. (They should have an empty field under the "SIZE" column).

Code:

zpool checkpoint -d Main
zpool checkpoint -d Backup
zpool get checkpoint

I hold no responsibility for any damages... proceed with utmost caution.

Thanks, and you're right. That does seem a bit scary for sure!

 

[winnielinnie]

Do not save or work on anything during this. Do not create new files. Do not edit any files. You will lose them if you end up having to rewind to a checkpoint.

For the sake of sanity and safety, I should clear up the warning.

It should read "after this step". To reiterate that anything you do after a checkpoint's creation will be permanently lost if you have to rewind to a checkpoint. That's why after you create a checkpoint, you should not do anything with your files, shares, edits, downloads. Nothing.

If it completes, and everything looks good, you can delete the checkpoints and make sure they're gone.

I should also add that it might we wise to make sure a subsequent replication will indeed work, before you destroy the checkpoints. So perhaps by creating a handful of phony files, and then allowing the snapshot task + replication to run, and see if it works as expected.

 

[infinitytec]

Ah, I think I figured it out!

In the interest of preserving the timeless Internet tradition, I shall let everyone know I found the solution without stating what it is.

Just kidding, I will share what I have discovered.


What MIGHT have helped (but is not all I did):

I unchecked Full Filesystem Replication but left Include Dataset Properties checked.

What MOST LIKELY did the trick:

I selected Encryption and then selected Inherit Encryption. It looks like this was just added in 22.12.4: https://www.truenas.com/community/threads/truenas-scale-bluefin-22-12-4-is-now-available.113180/


I then deleted all of the snapshots for the unencrypted dataset from the backup pool and then deleted the dataset. I am currently running the replication again and the dataset has been recreated with encryption inherited!


I've turned full filesystem replication back on for testing.