aaronhurt
Cannot replicate encrypted datasets
Hi,
when trying to replicate an encrypted dataset, it errors out:
Jul 31 08:41:22 zfs-replicate[16810]: sending snapshot cmd=/sbin/zfs send -Rs ozzy/encrypted/music@autorep-2025-07-31_1753944081 | /usr/bin/ssh lms /sbin/zfs receive -vFd rpool/music
Jul 31 08:41:22 zfs-replicate[16810]: cannot send ozzy/encrypted/music@autorep-2025-07-31_1753944081: encrypted dataset ozzy/encrypted/music may not be sent with properties without the raw flag
Jul 31 08:41:22 zfs-replicate[16810]: warning: cannot send 'ozzy/encrypted/music@autorep-2025-07-31_1753944081': backup failed
For encrypted datasets it is needed to use argument --raw/-w when --replicate/-R is used:
For encrypted datasets, send data exactly as it exists on disk. This allows backups to be taken even if encryption keys are not currently loaded. The backup may then be received on an untrusted machine since that machine will not have the encryption keys to read the protected data or alter it without being detected. Upon being received, the dataset will have the same encryption keys as it did on the send side, although the keylocation property will be defaulted to prompt if not otherwise provided. For unencrypted datasets, this flag will be equivalent to -Lec. Note that if you do not use this flag for sending encrypted datasets, data will be sent unencrypted and may be re-encrypted with a different encryption key on the receiving system, which will disable the ability to do a raw send to that system for incrementals.
So the possible solutions may be:
- Always use
--raw - Check if source is encrypted and then use
--raw - Do a pseudo
--replicatefor encrypted datasets like Syncoid provides: https://github.com/jimsalterjrs/sanoid/blob/master/syncoid#L915 There alle properties are read from source and then are added to destination via-o.
From Syncoid:
--preserve-properties Preserves locally set dataset properties similar to the zfs send -p flag but this one will also work for encrypted datasets in non raw sends
