[SOLVED] Is it safe to backup a PVE with encrypted zfs pool (native) to PBS

C

clickbg

Member
Proxmox Subscriber
May 13, 2020
13
4
8
44
Hi,

I am slowly migrating some of our systems from dm-crypt to native ZFS encryption.
Most hosts are pve-manager/7.3-4/d69b70d4 and PBS hosts are v2.3.2-1.

I usually have one actual pool with tank/data and tank/data-encrypted which are our unencrypted and encrypted PVE pools:

Code: 
root@atlas:~# zfs list | grep -w data
data                             4.20T  24.8T      104K  /data
data/data                        4.20T  24.8T       96K  /data/data
data/data-encrypted               428K  24.8T      232K  /data/data-encrypted

root@atlas:~# pvesm status
storing login ticket failed: $XDG_RUNTIME_DIR must be set
storing login ticket failed: $XDG_RUNTIME_DIR must be set
Name                       Type     Status           Total            Used       Available        %
local                       dir     active        31457280             128        31457152    0.00%
local-backups               pbs     active     17576240108      4196632372     13379607736   23.88%
local-zfs               zfspool     active     31104916472      4507327044     26597589428   14.49%
local-zfs-encrypted     zfspool     active     26597589856             428     26597589428    0.00%
remote-backups              pbs     active     10737418240      4685017472      6052400768   43.63%

I don't use replication however due to https://bugzilla.proxmox.com/show_bug.cgi?id=2350 I am worried that it might also affect my PBS backups.
Is PBS affected by this bug and is it safe to use PBS with encrypted ZFS pools on PVE?
What other catastrophic issues I might expect with this architecture?

This is move PVE related, but is it safe to take snapshots/restore them in place assuming I don't use zfs send to deliver those snapshots to other systems?
Is it safe to clone VMs from non-encrypted pools to the encrypted pools as that uses zfs send but from unencrypted pool to an encrypted one? Is it safe the other way around - migrate VMs from encrypted to unencrypted pools?

Thanks in advance and I am sorry if this post should be in the PVE section!
 
Last edited:
vzdump will always backup the unencrypted content and not care about how the storage on PVE side looks like (with one exception - for containers in snapshot mode, all backed up volumes must support snapshots and must support mounting them, but neither *should* be an issue with encrypted ZFS provided the key is loaded).
 
  • Like
Reactions: clickbg
fabian said:
vzdump will always backup the unencrypted content and not care about how the storage on PVE side looks like (with one exception - for containers in snapshot mode, all backed up volumes must support snapshots and must support mounting them, but neither *should* be an issue with encrypted ZFS provided the key is loaded).
Click to expand...
Superb, thanks! Do you know how VM snapshots behave if I don't transfer them - my basic snapshot usage is do a snapshot, upgrade the VM, delete or restore the snapshot if the upgrade fails. Will that functionality still work?

Thanks!
 
most of the native encryption bugs I've seen where around zfs-send/recv interaction, but there might of course be other lurking as well.
 
  • Like
Reactions: clickbg
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back