I wanted to move from eCryptFS on top of a zfs dataset to a more standard and speedier encryption approach which is native zfs encryption. Here is the process that I went through.
Process
- Ensure your backups are up to date!
- Upgrade the zpool
- ensure you are on a recent version of zfs and not zfs-fuse (see previous post)
- sudo zpool upgrade storage
- Create the destination dataset
- sudo zfs create -o encryption=aes-256-gcm -o keylocation=prompt -o keyformat=passphrase storage/new-encrypt
- Set/change the mount point (optional)
- sudo zfs set mountpoint=/storage/new-encrypt storage/new-encrypt
- Move the files over
- sudo rsync -avh --progress --remove-source-files /storage/encrypted/* /storage/new-encrypt/
- -z / --compress is not needed and would slow down a local transfer
- Remove the left over directories
- sudo find /storage/encrypted/ -type d -empty -delete
- Verify no files are left:
- ls -al /storage/encrypted
- if any files exist then repeat the rsync
- Unmount the encryptfs
- sudo umount /storage/encrypted
- Remove/comment the entry from /etc/fstab
- sudo vi /etc/fstab
- Unmount the zfs dataset
- sudo zfs unmount storage/.encrypted
- Test destroying the zfs dataset
- sudo zfs destroy -n storage/.encrypted
- Destroy the zfs dataset
- sudo zfs destroy storage/.encrypted
- Change the name of new-encrypt
- sudo zfs rename storage/new-encrypt storage/encrypted
- Update mountpoint (if required)
- sudo zfs set mountpoint=/storage/encrypted storage/encrypted
If everything works then the new zfs native encrypted dataset slots right into where the old one was and all your samba shares should be fine.
Appendix
Sources:
No comments:
Post a Comment