unencrypted snapshot on encrypted pool?

[EtienneB]

Hello,

I am running TN 12 U5.1 and created an encrypted pool called backupexternal, which is just an external backup drive which I disconnect/reconnect regularly to backup datasets from the Tank pool.

I have done a replication task to copy data from my tank-pool to my backupexternal-pool. It copied all the existing snapshots too (as I would like)
The tank pool was created under FreeNAS 11, so old style and no encryption.

I am a bit confused here. Apologies I have this totally wrong.
I watched the video of Lawrence Systems about replications. He doesn't have the Encryption in the Replication task screen checked, to prevent messing up encryption.

Under the CLI when backupexternal is LOCKED, I see nothing in there, just an empty folder. Under the GUI I do see the various datasets. Which looks strange to me, that there is a discrepancy. This is normal?

However, the important part here is, while the backupexternal pool is still locked, I can see the snapshots of the datasets.
I can even clone the snapshot to a new dataset too on backupexternal.
For me the weird part is, in the CLI I can then see the contents of the restored snapshot.
So, I can't see the dataset itself but I can see the cloned snapshot of it.
Is this normal behaviour?

So I should turn on snapshot encryption in the replication task to prevent this?

I suppose when I create a new encrypted Tank pool (Truenas style) and perhaps individual dataset encryption too, the snapshots will then also be encrypted on the backupexternal pool and be unable to be restored?
Thanks for any explanation.

 

[winnielinnie]

Under the CLI when backupexternal is LOCKED, I see nothing in there, just an empty folder. Under the GUI I do see the various datasets. Which looks strange to me, that there is a discrepancy. This is normal?

ZFS native encryption does not encrypt/hide ZFS metadata, which includes dataset names, snapshot names, used space, free space, etc.

For me the weird part is, in the CLI I can then see the contents of the restored snapshot.

Can you elaborate on this?

---

How did you replicate the snapshots over? Was the destination unlocked? What type of padlock icon do you see on the destination?

---

It copied all the existing snapshots too (as I would like)

That won't happen with future incremental replications. See this bug, and how it won't be fixed for TrueNAS CORE (and possibly only SCALE will receive the fix.)

https://jira.ixsystems.com/browse/NAS-109476

Replication Task "Full Filesystem Replication" does not send intermediate snapshots?

Up until I upgraded to TrueNAS 12.0-U3, whenever I ran a manual Replication Task with the option "Full Filesystem Replication", everything would be sent to the destination, including intermediate snapshots since the last replication. Apparently, using "Full Filesystem Replication" has always...

www.truenas.com

 

[EtienneB]

ZFS native encryption does not encrypt/hide ZFS metadata, which includes dataset names, snapshot names, used space, free space, etc.

I read that indeed somewhere, but didn't realize that the CLI does NOT show and the GUI does show it. Thanks.

Can you elaborate on this?

With the pool locked, I can still clone a dataset from my locked backupexternal pool and see/edit/use the files in the CLI. The clone folder is the only folder then visible in the CLI. The dataset itself is not.

How did you replicate the snapshots over? Was the destination unlocked? Do you see an open padlock icon on the destination?

The destination was unlocked and I did an advanced replication, so I could use the existing snapshot tasks. Else it creates it's own 2 week task and does not copy over the existing snapshots.

That won't happen with future incremental replications. See this bug, and how it won't be fixed for TrueNAS CORE (and possibly only SCALE will receive the fix.)

https://jira.ixsystems.com/browse/NAS-109476

Replication Task "Full Filesystem Replication" does not send intermediate snapshots?

Up until I upgraded to TrueNAS 12.0-U3, whenever I ran a manual Replication Task with the option "Full Filesystem Replication", everything would be sent to the destination, including intermediate snapshots since the last replication. Apparently, using "Full Filesystem Replication" has always...

www.truenas.com

I will have a look. thanks.

 

[EtienneB]

To clarify further, I use a passphrase, so no accidental unlocking with a stored key to unlock the external drive.

 

[winnielinnie]

With the pool locked, I can still clone a dataset from my locked backupexternal pool and see/edit/use the files in the CLI. The clone folder is the only folder then visible in the CLI. The dataset itself is not.

If the dataset(s) is locked, it cannot be mounted, and thus you cannot view nor edit any files within.

What is the output of
zfs list -r -o name,encryption,encryptionroot backupexternal

Use the applicable "pool" (root dataset) name, and hide/filter any names you see fit.

 

[EtienneB]

the output is:

Code:

zfs list -r -o name,encryption,encryptionroot backupexternal
NAME                                                ENCRYPTION   ENCROOT
backupexternal                                      aes-256-gcm  backupexternal
backupexternal/diana                                off          -
backupexternal/diana-auto-20200608.0100-100y-clone  off          -
backupexternal/etienne                              off          -

Under the GUI the backupexternal pool still has a locked padlock icon.

Something else weird just happened, I ran a replication task on /tank/etienne and now backupexternal/etienne is now also visible and editable under the CLI.
backupexternal/diana is not visible nor accessible in the CLI......

 

[winnielinnie]

backupexternal/diana off -
backupexternal/etienne off -

Your datasets (backupexternal/diana and backupexternal/etienne) are not encrypted. Only the top-level root dataset (backupexternal) is.

 

[EtienneB]

Doesn't that nullify the pool encryption that I turned on upon creation of the pool? (With the popup that all data is safe and you can discard the drive without wiping it).
The fact remains that the CLI does not show all datasets, while all are then supposed to be unencrypted....?

 

[winnielinnie]

There's a misnomer with "pool" encryption when it comes to OpenZFS and native ZFS encryption. Pools are not encrypted; datasets are. The top-level root dataset happens to have the same name as the pool, which can, and often does, cause confusion. (I think the wording used throughout TrueNAS and ZFS in general can lead users to the wrong assumptions. I don't blame them, as I think it's ambiguously worded.)

During the creation of a new pool, the TrueNAS GUI offers an "Encryption" option. What this really does is encrypt the top-level root dataset. The children beneath can either (1) inherit this, (2) be encrypted with their own passphrase/keystring, or (3) be non-encrypted.

By default, creating a child dataset will check the box to inherit the parent's "Encryption properties", which essentially adopts it under an encryptionroot.

 

[EtienneB]

That would suggest that in the Advanced Replication task I should turn on encryption and then use perhaps the same passphrase of the root folder?
Thanks for helping out so far.

 

[winnielinnie]

I don't use the GUI because of the limitations that are unlikely to be resolved. We're just meager little end-users, whereas the real drivers are the enterprise customers. Woe are we!

Basically, selecting "Encryption" upon creating your backupexternal pool is symbolism, since even leaving it "Non-Encrypted" wouldn't matter in the case of your replicated datasets/snapshots.

That would suggest that in the Advanced Replication task I should turn on encryption and then use perhaps the same passphrase of the root folder?

You mean the root dataset? ("Folder" is not a ZFS term.)

It wouldn't matter if you use the same passphrase (which you can, and would be easier for you to remember anyways), since those replicated datasets will not be inheriting the encryption properties of the root dataset. You'd have to unlock them separately, even with the same passphrase.

When you go to unlock everything, rather than unlocking only backupexternal, you would have to unlock backupexternal, backupexternal/diana, and backupexternal/etienne by typing in the same passphrase three times. (One for each encryptionroot, and in this case you have three encryptionroots.)

 

[winnielinnie]

Doesn't that nullify the pool encryption that I turned on upon creation of the pool? (With the popup that all data is safe and you can discard the drive without wiping it).

Oh wow, they really do need to update the wording! It's not really "deceptive" but it's a misleading "half-truth".

This type of encryption is for users storing sensitive data. Encrypted disks can be removed from the pool and reused or disposed of without being erased.

The term "encrypted disks" is old language. TrueNAS CORE does not use GELI encryption (on the disks themselves) upon creating a new pool. It only uses native ZFS encryption. The only support for GELI is to allow the importing of pools created with FreeNAS 11.3 and earlier.

I'll submit a bug report. That type of language can really mislead users.

 

[winnielinnie]

Ticket created: https://jira.ixsystems.com/browse/NAS-112371

 

[EtienneB]

Thanks, well explained too.
Misleading at best indeed the wording that is . So if the drive gets lost (stolen or whatever), then all is still accessible.

I will experiment some more with encryption. I think I will create a new tank pool with ZFS encryption and then replicate that/those datasets as being the safest/best solution here.