Switched to encrypted datasets, resume incremental replication to existing backup?

[q/pa]

Hi,

I am trying to wrap my head around what will happen to my existing backup after switching from GELI to native ZFS encryption.

My setup:

• TrueNAS Core w/ 1 pool "datapool1" containing 3 datasets
• GhostBSD (FreeBSD) computer with mirrored backup pool "backup1" (encryption feature available but not enabled)
• Manual incremental replication of all 3 datasets from datapool1 to backup1 via ssh

This is what I did/will do:

1. Removed GELI encryption
2. Rename original datasets into temp. datasets; make recursive snapshots of renamed temp. datasets
3. Create new encrypted "original" datasets
4. send (full replication) / receive with -x encryption of temp. dataset snapshots to new encrypted datasets

The big question is, can I just resume my old incremental replication and what are my options? The best result would be to be able to do raw encrypted sends to my existing backup turning it into an encrypted backup which I would have to decrypt to check replication results from time to time.

In case there is no chance to further use my old backup I would do the following:
1. split the backup mirrored pool into backup1 and backup2
2. do a complete new full replication (encrypted raw) on backup1
3. triple check that everything worked as expected
4. attach pool backup2 to backup1, copying everything to the newly attached drive (deleting the old backup2)

 

[sretalla]

You could not have been replicating anything other than data in the clear with GELI, so forget that part.

With effectively completely new datasets, you're going to need to start again from scratch, incremental updates would be nonsense.

 

[q/pa]

Even if the new datasets carry the original names?

If I still have to start my backup again from scratch, would you recommend to do as I suggested (split old backup etc.)?

 

[winnielinnie]

In the "eyes" of ZFS, GELI is plain, non-encrypted. So from its perspective, you never had any encrypted datasets.

From what I read, backup1 was never encrypted with ZFS.

If newpool (TrueNAS) now has natively encrypted datasets, and you wish to replicate them to to backup1, unfortunately, you cannot continue to use your existing backup1 (and its snapshots) for an incremental replication. You'd need to start all over with full replication.

EDIT: Ohhhhhhh! I might have read your post incorrectly!

Are you planning to keep backup1 "as is" (non-encrypted)? If so, then yes it's possible.

You'd first do a full replication from backup1 to newpool (which is now encrypted; using -x for the incoming datasets/snapshots to inherit encryption on the receiving end). Then you'd be back in business, and you can continue to do incremental replications from newpool to backup1

 

[q/pa]

Correct, backup1 never was encrypted. But I"d like it to be from now on. That means I am going to do an all new (raw) full replication.

 

[winnielinnie]

Correct, backup1 never was encrypted. But I"d like it to be from now on. That means I am going to do an all new (raw) full replication.

Then yes, that's your only feasible option.

You can replicate everything (including all snapshots) from backup1 to newpool, and let the incoming replication inherit the encryption properties of newpool's top-level root dataset; and then do the same in the other direction to, but this time as a "raw" stream, so that backup1 has encrypted datasets as well.

I use the "pseudo-root" method for this, of which I've posted about in these forums. Saves me a headache, especially for future use and migration.

 

[q/pa]

I will not destroy my pool and create a new one but only create three new encrypted datasets, meanwhile keeping my old data in the renamed original datasets as a second backup.