Questions about syncoid usage with encrypted datasets

[ovizii]

After reading the docs, this is the command I arrived at:

syncoid --recursive --compress lz4 root@xxx.xxx.xxx.xxx:sixer/Documents rpool/Documents

I would basically like to pull an encrypted dataset from that particular IP to an identical (not yet existing) local dataset. This should work whether the source has currently loaded the decryption key or not. The target dataset should be encrypted with the very same key.

Will this command do that? If not, is it possible? Any hints are welcome.

[phreaker0]

No, this command will decrypt everything on the sending side before it's sent to the target.
You want to lookup the "raw" flag which will do what you are looking for: https://openzfs.github.io/openzfs-docs/man/8/zfs-send.8.html#w

This should work:

syncoid --recursive --compress lz4 --sendoption=w root@xxx.xxx.xxx.xxx:sixer/Documents rpool/Documents

But this will break the encryptionroot on the receiving side.

[ovizii]

Thanks, that sounds just like what I was looking for. Would you mind explaining this sentence a little, I'm not quite sure what you meant.

But this will break the encryptionroot on the receiving side.

[ovizii]

You said it would send decrypted data if the encryption key was loaded so just out of curiosity, can you tell what would happen without the "--sendoption=w" option if the encryption key was not loaded on the source side?

[phreaker0]

All sub datasets of an encrypted dataset will by default inherit the encryption key, the one all the way up is the encryption root. If you send the datasets separately they each will become their own encryptionroot on the target if they are created there. So you would need to decrypt each dataset by it's own.

[phreaker0]

You wouldn't get an error if the key is not loaded because the data can't be decrypted.

[ovizii]

But this will break the encryptionroot on the receiving side.

I think I know what you meant. On the target side rpool has not got encryption enabled. There is however rpool/data-encrypted which has encryption enabled and so should rpool/Documents

[ovizii]

All sub datasets of an encrypted dataset will by default inherit the encryption key, the one all the way up is the encryption root. If you send the datasets separately they each will become their own encryptionroot on the target if they are created there. So you would need to decrypt each dataset by it's own.

Perfect! I just googled and checked my pools with:
zfs list -o name,encryption,keystatus,keyformat,keylocation,encryptionroot -t filesystem,volume -r rpool
and
zfs list -o name,encryption,keystatus,keyformat,keylocation,encryptionroot -t filesystem,volume -r sixer

I understood and noticed I have only a few encrypted datasets and they are all independent.

[ovizii]

@phreaker0 one last question: where did you find out about "--sendoption=w" as I can't see it mentioned anywhere on the wiki.

[phreaker0]

I implemented it :-) But yes README and wiki? is out of date for this one. You get a list of all options if you run syncoid withouth arguments.