You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cannot send nvme1/[email protected]: encrypted dataset nvme1/vm-7002-disk-0 may not be sent with properties without the raw flag
From the man pages: "If the -R flag is used to send encrypted datasets, then -w must also be specified."
the -w (raw) flag is equivalent to adding -Lec, which is large block, embed, and compression respectively.
It's not immediately obvious to me how to go about this generally. Adding the w flag gets the data copied but the receiving system won't have the key without extra steps. Removing the R flag seems worse. Simply sending the key too is not quite right; a typical zfs encryption setup will have the VM's volumes inheriting encryption settings from the containing dataset and it'd be odd if that wasn't true for a migrated VM.
It looks like this would be possible, at least in my setup, by running zfs change-key on the source dataset to break the inheritance and setting a temporary key, doing a raw send, loading temp keys for the dataset over ssh, and then running zfs change-key -i on both to have the dataset resume inheriting keys from the parent. This would be security-equivalent to just piping the raw decrypted data over SSH, but you'd get all the ZFS snapshots and nice-to-haves intact - plus it'd send compressed.
The text was updated successfully, but these errors were encountered:
cannot send nvme1/[email protected]: encrypted dataset nvme1/vm-7002-disk-0 may not be sent with properties without the raw flagFrom the man pages: "If the -R flag is used to send encrypted datasets, then -w must also be specified."
the -w (raw) flag is equivalent to adding -Lec, which is large block, embed, and compression respectively.
It's not immediately obvious to me how to go about this generally. Adding the w flag gets the data copied but the receiving system won't have the key without extra steps. Removing the R flag seems worse. Simply sending the key too is not quite right; a typical zfs encryption setup will have the VM's volumes inheriting encryption settings from the containing dataset and it'd be odd if that wasn't true for a migrated VM.
It looks like this would be possible, at least in my setup, by running zfs change-key on the source dataset to break the inheritance and setting a temporary key, doing a raw send, loading temp keys for the dataset over ssh, and then running
zfs change-key -ion both to have the dataset resume inheriting keys from the parent. This would be security-equivalent to just piping the raw decrypted data over SSH, but you'd get all the ZFS snapshots and nice-to-haves intact - plus it'd send compressed.The text was updated successfully, but these errors were encountered: