|
|
|
|
|
|
by radious_co
2037 days ago
|
|
|
Yup. I believe ZFS supports sending incremental snapshots without having the decryption key. However, it become a pain-in-the-ass if you have recursive snapshots where only some of the datasets are encrypted. I think... in order to accomplish this, you need to send separate batches of snapshots... one for each set of encrypted vs. decrypted. E.g. /zpool/tmp # not encrypted
/zpool/home/someone # not encrypted
/zpool/home/someone/thunderbird # encrypted
$ zfs snapshot -r /zpool zpool@today
# this will probably bork
$ zfs send -v -w -R -I zpool@yesterday zpool@today | ...
# but this will work
$ zfs send -v -R -I zpool/tmp@yeserday zpool/tmp@today | ...
$ zfs send -v -R -I zpool/home/someone@yeserday zpool/home/someone@today | ...
$ zfs send -v -w -R -I zpool/home/someone/thunderbird@yeserday zpool/home/someone/thunderbird@today | ...
NOTE: I haven't fully explored this. But from experience, loading the key on the remote solves a lot of problems. The most import feature of encryption for us is encryption-at-rest. I just want to pull the AC plug and ensure that the data is protected. |
|
|