前言:我曾经运行过 TrueNAS (SCALE),这是我最初创建tank
池的地方。
在 Ubuntu 服务器上,我尝试分配/更改新创建的池的密钥,但收到错误Key change error: Dataset not encrypted.
:
user@homeserver:~$ sudo zfs change-key -o keylocation=file:///path/to/zpool.key -o keyformat=raw flash
Key change error: Dataset not encrypted.
user@homeserver:~$ zfs get encryption tank
NAME PROPERTY VALUE SOURCE
tank encryption aes-256-gcm -
user@homeserver:~$ zfs get encryption flash
NAME PROPERTY VALUE SOURCE
flash encryption off default
这是我创建池时使用的命令:
sudo zpool create -o failmode=continue -o autoexpand=on -o autotrim=on -o feature@async_destroy=enabled -o feature@empty_bpobj=enabled -o feature@lz4_compress=enabled -o feature@multi_vdev_crash_dump=enabled -o feature@spacemap_histogram=enabled -o feature@enabled_txg=enabled -o feature@hole_birth=enabled -o feature@extensible_dataset=enabled -o feature@embedded_data=enabled -o feature@bookmarks=enabled -o feature@filesystem_limits=enabled -o feature@large_blocks=enabled -o feature@large_dnode=enabled -o feature@sha512=enabled -o feature@skein=enabled -o feature@edonr=enabled -o feature@userobj_accounting=enabled -o feature@encryption=enabled -o feature@project_quota=enabled -o feature@device_removal=enabled -o feature@obsolete_counts=enabled -o feature@zpool_checkpoint=enabled -o feature@spacemap_v2=enabled -o feature@allocation_classes=enabled -o feature@resilver_defer=enabled -o feature@bookmark_v2=enabled -o feature@redaction_bookmarks=enabled -o feature@redacted_datasets=enabled -o feature@bookmark_written=enabled -o feature@log_spacemap=enabled -o feature@livelist=enabled -o feature@device_rebuild=enabled -o feature@zstd_compress=enabled -o feature@draid=enabled flash mirror /dev/disk/by-partuuid/XXX /dev/disk/by-partuuid/XXX
我做错了什么以及如何以flash
相同的方式tank
加密?
答案1
本机 ZFS 加密不会加密池,它只会加密文件系统。此外,必须在创建文件系统时设置每个文件系统的加密。对于池的根文件系统,这意味着必须在创建池时设置根文件系统的加密。
因此,要以与现有池类似的方式创建具有加密根文件系统的新池,请首先销毁新池:
# zpool destroy flash
然后重新创建池,将zpool create
上面的命令与这些附加选项合并。注意资本的使用-O
:
# zpool create \
(your options from above) \
-O encryption=on \
-O keyformat=(whatever) \
-O keylocation=(whatever) \
flash \
mirror /dev/gpt/diskA-serial-num /dev/gpt/diskB-serial-num
最后验证一下:
# zfs get encryption,keyformat,keylocation flash
NAME PROPERTY VALUE SOURCE
flash encryption aes-256-gcm -
flash keyformat (whatever) -
flash keylocation (whatever) local