Unable to filter or override keylocation

psy0rz / zfs_autobackup

ZFS autobackup is used to periodicly backup ZFS filesystems to other locations. Easy to use and very reliable.

https://github.com/psy0rz/zfs_autobackup

GNU General Public License v3.0

583 stars 62 forks source link

Unable to filter or override keylocation #256

Closed sstallion closed 1 month ago

sstallion commented 2 months ago

I was looking through my zfsprops on rsync.net today and noticed that keylocation does not seem to support filtering or being set explicitly. My datasets at rest use a file key keylocation=file:///etc/zfs/zfs.key, but when I back them up I would like to set keylocation=prompt to avoid leaking the key location and to make it easier to restore to a system that does not have access to the key file.

I've tried using --filter-properties keylocation and --set-properties keylocation=prompt without success. I'd appreciate any thoughts on this!

psy0rz commented 2 months ago

If you use --encrypt, its already filtering these properties:

https://github.com/psy0rz/zfs_autobackup/blob/master/zfs_autobackup/ZfsDataset.py#L1163

So you only have to set these properties on time at the parent dataset at the target i think?

Or not specify --encrypt and set/filter stuff yourself.

sstallion commented 2 months ago

Thanks! These datasets are received by rsync.net, so they're sent using raw mode so I don't need to keep keys on an untrusted machine. Encryption properties aren't inheritable as far as I can tell. I was hoping that using --set-properties keylocation=prompt would do the trick, but this seems to be ignored. After the transfer, the original value for keylocation is set. I can override this manually, but it has to be done each time a new dataset is created.

psy0rz commented 2 months ago

Also --set-properties doesnt function for new datasets? Ill take look later.

Can you copypaste the redacted commandline?

sstallion commented 2 months ago

Also --set-properties doesnt function for new datasets? Ill take look later.

Other properties are being set as expected, it's just keylocation that seems to be ignored.

Can you copypaste the redacted commandline?

Sure thing:

# zfs-autobackup \
        --verbose \
        --allow-empty \
        --filter-properties refreservation \
        --set-properties "canmount=noauto,keylocation=prompt,mountpoint=none,readonly=on" \
        --ssh-target="<target>" \
        --keep-source="1,1d1w,1w1m,1m1y,1y10y" \
        --keep-target="1,1d1w,1w1m,1m1y,1y10y" \
        --snapshot_format="{}-%Y-%m-%d-%H:%M:%S" \
        <name> <path>

psy0rz commented 2 months ago

hmm could you run it with --debug and show us the actual zfs send and zfs recv commands its using?