From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH docs 4/4] storage: zfspool: add documention on encryption
Date: Wed, 18 Mar 2026 13:40:17 +0100 [thread overview]
Message-ID: <20260318124659.374754-5-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20260318124659.374754-1-s.ivanov@proxmox.com>
add a terse description of ZFS encryption in context of repliation and
migration in PVE.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
pve-storage-zfspool.adoc | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/pve-storage-zfspool.adoc b/pve-storage-zfspool.adoc
index 1db283d..d3339b9 100644
--- a/pve-storage-zfspool.adoc
+++ b/pve-storage-zfspool.adoc
@@ -83,6 +83,26 @@ on the parent dataset.
|images rootdir |raw subvol |no |yes |yes
|==============================================================================
+Encryption
+~~~~~~~~~~
+
+ZFS supports encryption of dataset hierarchies. Each encrypted dataset, is
+either an `encryption_root`, storing the properties for encryption itself or
+descendant of its `encryption_root` - see the `zfs-load-key(8)` manpage for
+details.
+
+Sending and receiving encrypted datasets is subject to constraints as some
+encryption parameters (initialization vectors for the symmetric ciphers) need
+to be either transferred with the data, breaking inheriting the encryption
+properties on the receiving side, or need to be recreated on target, requiring
+the data to be sent unencrypted - see the `zfs-recv(8)` manpage for details.
+
+For migration and storage replication of encrypted datasets in {pve}, the
+data is sent without the encryption properties, and the state of encryption
+is determined by the target.
+
+If you want to send and receive encrypted ZFS datasets, you need to ensure that
+all involved storages on all nodes are encrypted.
Examples
~~~~~~~~
--
2.47.3
prev parent reply other threads:[~2026-03-18 12:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 12:40 [RFC docs/storage/zfsonlinux 0/4] allow replication/migration with zfs native encryption Stoiko Ivanov
2026-03-18 12:40 ` [PATCH zfsonlinux 1/4] cherry-pick patch for unencrypted send Stoiko Ivanov
2026-03-18 12:40 ` [PATCH storage 2/4] fix #2350: zfspool: send without preserving encryption Stoiko Ivanov
2026-03-18 12:40 ` [PATCH storage 3/4] zfspool: export: skip hardcoded warning about no-preserve-encryption flag Stoiko Ivanov
2026-03-18 12:40 ` Stoiko Ivanov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318124659.374754-5-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.