From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [RFC docs/storage/zfsonlinux 0/4] allow replication/migration with zfs native encryption
Date: Wed, 18 Mar 2026 13:40:13 +0100 [thread overview]
Message-ID: <20260318124659.374754-1-s.ivanov@proxmox.com> (raw)
OpenZFS recently got support for suppressing the encryption options while
sending with -Rp[0]. This patchset adds the (userland only) patch to our
zfsonlinux repository and uses the functionality to enable
volume_export and volume_import for encrypted ZFS datasets.
My initial (quite limited) tests indicates that it works as intended
(storage-replication/migration of containers, live and offline migration of a
VM).
As is the functionality is quite versatile - guests can be send from encrypted
to unencrypted storages and vice versa. The encryption state of a guest-disk/
volume is solely defined by the storage on each node, it is not a property
of the guest-disk, and not enforced.
The main caveat I currently see is that the patches need to be present
on the receiving node before the first encrypted guest-disk is received:
Without the addition of `-x encryption` for `zfs recv` the disk would
get created/received without encryption, even if the root-dataset of the
storage is encrypted. As storage-migration is currently broken for encrypted
ZFS pools in any case this seems acceptable. Users would need to upgrade
all nodes to versions with these patches before migrating/replicating
the first guest disk on an encrypted zpool.
the second patch for pve-storage is optional - I'm not sure if always printing
the warning helps or would raise more questions than it answers.
For the whole series:
Suggested-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
[0] https://github.com/openzfs/zfs/pull/18240
zfsonlinux:
Stoiko Ivanov (1):
cherry-pick patch for unencrypted send
...0015-Add-no-preserve-encryption-flag.patch | 306 ++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 307 insertions(+)
create mode 100644 debian/patches/0015-Add-no-preserve-encryption-flag.patch
pve-storage:
Stoiko Ivanov (2):
fix #2350: zfspool: send without preserving encryption
zfspool: export: skip hardcoded warning about no-preserve-encryption
flag
src/PVE/Storage/ZFSPoolPlugin.pm | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
pve-docs:
Stoiko Ivanov (1):
storage: zfspool: add documention on encryption
pve-storage-zfspool.adoc | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
Summary over all repositories:
4 files changed, 343 insertions(+), 3 deletions(-)
--
Generated by murpp 0.10.0
next reply other threads:[~2026-03-18 12:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 12:40 Stoiko Ivanov [this message]
2026-03-18 12:40 ` [PATCH zfsonlinux 1/4] cherry-pick patch for unencrypted send Stoiko Ivanov
2026-03-18 12:40 ` [PATCH storage 2/4] fix #2350: zfspool: send without preserving encryption Stoiko Ivanov
2026-03-18 12:40 ` [PATCH storage 3/4] zfspool: export: skip hardcoded warning about no-preserve-encryption flag Stoiko Ivanov
2026-03-18 12:40 ` [PATCH docs 4/4] storage: zfspool: add documention on encryption Stoiko Ivanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318124659.374754-1-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.