0

I am on a journey of migrating a Windows/NTFS backup to Ubuntu and natively encrypted ZFS. As a Windows veteran with zero Linux experience, most guides seem like Greek to me. Successful progress yet:

  1. Installed OpenZFS via sudo apt-get install zfsutils-linux
  2. Created a raidz pool: sudo zpool create -f Backup raidz3 /dev/sda /dev/sdb etc...
  3. Installed Dolphin to locate the pool in /Backup
  4. Created a dataset inside the pool: sudo zfs create -o encryption=on -o keyformat=passphrase Backup/Backup

Here I am kind of stuck:

  1. The OS never asks for the pool/dataset password. All needed to mount is either sudo zfs mount Backup + root password, or logging in.
  2. What is the difference between a pool and a dataset? The pool created a ZFS file system for me.
  3. Is it possible to use the folder /Backup rather than /Backup/Backup? Is it recommended?
  4. What kind of (beginner friendly) maintenance routines would one run without risking to mess it up? This ZFS setup is all about redundancy and bit-rot protection.

I have looked through several threads about this, but I am completely lost around the commands and variables. All help appreciated. :)

T. Smoerti
  • 1
  • 1
  • It would help those trying to help you if you could specify the "several threads" you have looked through so there is not duplication. – Charles Kenyon May 26 '21 at 18:10
  • 1
    A "_pool_" can be thought of as the array itself, or the collection of disks. A "_dataset_" is an independent box / filesystem on that pool, and can be hierarchical. Each pool has a dataset at its root. You've not provided a `keylocation` option, which means that it'll probably be inherited from the parent dataset, and in this situation it _should_ prompt you... what does `zfs get -r keylocation Backup` show? ([ref](https://wiki.archlinux.org/title/ZFS#Native_encryption)) – Attie May 27 '21 at 08:55
  • @T.Smoerti - Edit your question instead of submitting commentary – Ramhound May 27 '21 at 14:47

1 Answers1

1

What you did looks all correct. If I understand correctly, your only problem is that you don’t have to enter a password to mount the encrypted dataset.

Did you reboot yet?

ZFS keeps dataset keys in memory indefinitely, until you unload them or export the pool. You can use the zfs unload-key command to explicitly unload the key of a dataset:

zfs unload-key tank/my/dataset

This command only works with unmounted datasets. You will then find that zfs mount no longer works. You need to issue a zfs load-key command first.

If you want a pool with an encrypted root dataset, you can create it like this:

zpool create -O encryption=on -O keyformat=passphrase mypool /dev/disk/by-id/…

When you import this pool, the root dataset will be unmounted until you do zfs load-key, zfs mount.

Encrypting a dataset after creation involves zfs send and zfs receive. If you can, create a new encrypted dataset instead. Much less of a hassle.

Daniel B
  • 60,360
  • 9
  • 122
  • 163