Closed sstallion closed 1 month ago
If you use --encrypt, its already filtering these properties:
https://github.com/psy0rz/zfs_autobackup/blob/master/zfs_autobackup/ZfsDataset.py#L1163
So you only have to set these properties on time at the parent dataset at the target i think?
Or not specify --encrypt and set/filter stuff yourself.
Thanks! These datasets are received by rsync.net, so they're sent using raw mode so I don't need to keep keys on an untrusted machine. Encryption properties aren't inheritable as far as I can tell. I was hoping that using --set-properties keylocation=prompt
would do the trick, but this seems to be ignored. After the transfer, the original value for keylocation
is set. I can override this manually, but it has to be done each time a new dataset is created.
Also --set-properties doesnt function for new datasets? Ill take look later.
Can you copypaste the redacted commandline?
Also --set-properties doesnt function for new datasets? Ill take look later.
Other properties are being set as expected, it's just keylocation
that seems to be ignored.
Can you copypaste the redacted commandline?
Sure thing:
# zfs-autobackup \
--verbose \
--allow-empty \
--filter-properties refreservation \
--set-properties "canmount=noauto,keylocation=prompt,mountpoint=none,readonly=on" \
--ssh-target="<target>" \
--keep-source="1,1d1w,1w1m,1m1y,1y10y" \
--keep-target="1,1d1w,1w1m,1m1y,1y10y" \
--snapshot_format="{}-%Y-%m-%d-%H:%M:%S" \
<name> <path>
hmm could you run it with --debug and show us the actual zfs send and zfs recv commands its using?
I was looking through my zfsprops on rsync.net today and noticed that keylocation does not seem to support filtering or being set explicitly. My datasets at rest use a file key
keylocation=file:///etc/zfs/zfs.key
, but when I back them up I would like to setkeylocation=prompt
to avoid leaking the key location and to make it easier to restore to a system that does not have access to the key file.I've tried using
--filter-properties keylocation
and--set-properties keylocation=prompt
without success. I'd appreciate any thoughts on this!