Hi all,
I recently stumbled when trying to migrate a VM from a node with an encrypted ZFS dataset to a node without encryption:
```
cannot send nvmepool/vm-310-disk-0@__migration__: encrypted dataset nvmepool/vm-310-disk-0 may not be sent with properties without the raw flag
```
It's not a big deal in this case, but it led searching me for known limitations of PVE in regards to ZFS encryption. All I found so far is this:
Is there a list somewhere documenting what features are unavailable with encryption in more detail?
As a plus, I'd also be happy to know why these limitations are there. As long as a dataset/zvol is unlocked, the encryption is supposed to be completely transparent to any application accessing the data in it, but apparently migration uses something that happens on a level where encryption makes a difference.
Thanks and best regards,
Philipp
EDIT: I've searched around some more and found that this is not directly a limitation of PVE, but rather one of ZFS encryption. This also brought me to some reports about ZFS encryption causing headaches unrelated to PVE, so people should generally think well whether they really want ZFS encryption (be it with PVE or not):
I recently stumbled when trying to migrate a VM from a node with an encrypted ZFS dataset to a node without encryption:
```
cannot send nvmepool/vm-310-disk-0@__migration__: encrypted dataset nvmepool/vm-310-disk-0 may not be sent with properties without the raw flag
```
It's not a big deal in this case, but it led searching me for known limitations of PVE in regards to ZFS encryption. All I found so far is this:
- A post on reddit about unsupported migration: https://www.reddit.com/r/Proxmox/comments/1cbgcyy/migrating_vms_with_encrypted_data_set/
- The note in the docs about "native ZFS encryption in PVE is experimental" and listed limitations are replication and checksum errors: https://pve.proxmox.com/wiki/ZFS_on_Linux#zfs_encryption
Is there a list somewhere documenting what features are unavailable with encryption in more detail?
As a plus, I'd also be happy to know why these limitations are there. As long as a dataset/zvol is unlocked, the encryption is supposed to be completely transparent to any application accessing the data in it, but apparently migration uses something that happens on a level where encryption makes a difference.
Thanks and best regards,
Philipp
EDIT: I've searched around some more and found that this is not directly a limitation of PVE, but rather one of ZFS encryption. This also brought me to some reports about ZFS encryption causing headaches unrelated to PVE, so people should generally think well whether they really want ZFS encryption (be it with PVE or not):
- The error I was seeing: https://github.com/openzfs/zfs/issues/10507
- An older and apparently fixed bug related to encryption: https://github.com/openzfs/zfs/issues/11679
- Snapshot corruption: https://github.com/openzfs/zfs/issues/12014
- Proposal to add warnings to the documentation: https://github.com/openzfs/openzfs-docs/issues/494
Last edited: