From d9c460a0b659c044d4397b7405712f2c9450d3c4 Mon Sep 17 00:00:00 2001 From: Tom Caputi Date: Fri, 13 Oct 2017 13:09:04 -0400 Subject: Added encryption support for zfs recv -o / -x One small integration that was absent from b52563 was support for zfs recv -o / -x with regards to encryption parameters. The main use cases of this are as follows: * Receiving an unencrypted stream as encrypted without needing to create a "dummy" encrypted parent so that encryption can be inheritted. * Allowing users to change their keylocation on receive, so long as the receiving dataset is an encryption root. * Allowing users to explicitly exclude or override the encryption property from an unencrypted properties stream, allowing it to be received as encrypted. * Receiving a recursive heirarchy of unencrypted datasets, encrypting the top-level one and forcing all children to inherit the encryption. Reviewed-by: Jorgen Lundman Reviewed by: Matthew Ahrens Reviewed-by: Brian Behlendorf Reviewed-by: Richard Elling Signed-off-by: Tom Caputi Closes #7650 --- man/man8/zfs.8 | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'man/man8') diff --git a/man/man8/zfs.8 b/man/man8/zfs.8 index f1eed207f..e356fc196 100644 --- a/man/man8/zfs.8 +++ b/man/man8/zfs.8 @@ -3912,6 +3912,34 @@ results if the same property is specified in multiple or .Fl x options. +.Pp +The +.Fl o +option may also be used to override encryption properties upon initial +receive. This allows unencrypted streams to be received as encrypted datasets. +To cause the received dataset (or root dataset of a recursive stream) to be +received as an encryption root, specify encryption properties in the same +manner as is required for +.Nm +.Cm create . +For instance: +.Bd -literal +# zfs send tank/test@snap1 | zfs recv -o encryption=on -o keyformat=passphrase -o keylocation=file:///path/to/keyfile +.Ed +.Pp +Note that +.Op Fl o Ar keylocation Ns = Ns Ar prompt +may not be specified here, since stdin is already being utilized for the send +stream. Once the receive has completed, you can use +.Nm +.Cm set +to change this setting after the fact. Similarly, you can receive a dataset as +an encrypted child by specifying +.Op Fl x Ar encryption +to force the property to be inherited. Overriding encryption properties (except +for +.Sy keylocation Ns ) +is not possible with raw send streams. .It Fl s If the receive is interrupted, save the partially received state, rather than deleting it. -- cgit v1.2.3