From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH docs 4/4] storage: zfspool: add documention on encryption
Date: Wed, 18 Mar 2026 13:40:17 +0100 [thread overview]
Message-ID: <20260318124659.374754-5-s.ivanov@proxmox.com> (raw)
In-Reply-To: <20260318124659.374754-1-s.ivanov@proxmox.com>
add a terse description of ZFS encryption in context of repliation and
migration in PVE.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
pve-storage-zfspool.adoc | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/pve-storage-zfspool.adoc b/pve-storage-zfspool.adoc
index 1db283d..d3339b9 100644
--- a/pve-storage-zfspool.adoc
+++ b/pve-storage-zfspool.adoc
@@ -83,6 +83,26 @@ on the parent dataset.
|images rootdir |raw subvol |no |yes |yes
|==============================================================================
+Encryption
+~~~~~~~~~~
+
+ZFS supports encryption of dataset hierarchies. Each encrypted dataset, is
+either an `encryption_root`, storing the properties for encryption itself or
+descendant of its `encryption_root` - see the `zfs-load-key(8)` manpage for
+details.
+
+Sending and receiving encrypted datasets is subject to constraints as some
+encryption parameters (initialization vectors for the symmetric ciphers) need
+to be either transferred with the data, breaking inheriting the encryption
+properties on the receiving side, or need to be recreated on target, requiring
+the data to be sent unencrypted - see the `zfs-recv(8)` manpage for details.
+
+For migration and storage replication of encrypted datasets in {pve}, the
+data is sent without the encryption properties, and the state of encryption
+is determined by the target.
+
+If you want to send and receive encrypted ZFS datasets, you need to ensure that
+all involved storages on all nodes are encrypted.
Examples
~~~~~~~~
--
2.47.3
prev parent reply other threads:[~2026-03-18 12:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 12:40 [RFC docs/storage/zfsonlinux 0/4] allow replication/migration with zfs native encryption Stoiko Ivanov
2026-03-18 12:40 ` [PATCH zfsonlinux 1/4] cherry-pick patch for unencrypted send Stoiko Ivanov
2026-03-18 12:40 ` [PATCH storage 2/4] fix #2350: zfspool: send without preserving encryption Stoiko Ivanov
2026-03-18 12:40 ` [PATCH storage 3/4] zfspool: export: skip hardcoded warning about no-preserve-encryption flag Stoiko Ivanov
2026-03-18 12:40 ` Stoiko Ivanov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318124659.374754-5-s.ivanov@proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox