Backing Up Encrypted ZFS Datasets

[fef]

Hello everyone!

I am currently setting up offsite backups to a PBS instance I don't own, so I want to use client side encryption. My PVE runs on an encrypted ZFS root that it also uses for VM disks. Since ZFS supports exporting raw encrypted datasets without the key (i.e. zfs send -w), I was wondering whether and—if yes—how I can tell PVE to do that rather than decrypting and then reencrypting them with a backup key. I couldn't find anything about this in the documentation, so I thought I'd just ask here.

Thanks!

P.S. Some more loosely related details that probably aren't relevant but won't hurt to mention either:

• ashift=12 on both PVE and PBS
• link between PVE and PBS goes through the public Internet and is not encrypted
• ZFS pool on PVE consists of a mirror with 2 HDDs, PBS pool is just a single HDD

 

[fiona]

Hi,
that's not possible because PBS doesn't rely on ZFS encryption or zfs send, but uses its own implementation. Like that PBS can support encryption on all underlying storage types.

 

[Dunuin]

Also keep in mind that replication and migration won't work with encrypted datasets/zvols as PVE can't handle ZFS encryption yet. You would then need to do the zfs send | zfs recv manually on ZFS level without any of PVEs CLI/GUI stuff.
But PBS backups are working fine here with encrypted ZFS.