-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: remove encryption #15987
Comments
You can decrypt individual datasets by copying their contents to a new, unencrypted, dataset and then renaming/remounting the new dataset to replace the old dataset. You just need enough free space to match your largest dataset, and if you are willing to delete snapshots before moving the files the required space will only be the size of your largest file. Doing it for a root dataset would be a PITA, but you can use a liveusb or creative use of boot options to accomplish that. |
Keeping things encrypted, but with a publicly-known key... That feels like the worst of both worlds to me, far more so than send/recv to a new dataset. |
Well when you have a large dataset you might not have enough free space, and it also requires quite a bit of risky steps : create a new dataset, boot to liveUsb, copy the content, update all your OS's fstab to use the new dataset etc… Compared to just changing a password. It also has the advantage of preserving the snapshots history. The only drawback I can think of is that the system will still encrypt data, so it might cost a bit of cpu time… but from my experience it is quite negligible. |
Real question: why do you want to remove the encryption? There's not really a way to remove it outright without rewriting blocks. A dummy key as described would work, and could be built into OpenZFS itself, but I can't think of any reason why you'd actually want to (like, maybe you don't need the encryption anymore, but it doesn't hurt to leave it there, unless you're very constrained on CPU or something). Unless it's something that is generally useful, I reckon it's probably easier to just do something in your mount scripts instead. |
Basically yeah, I used encryption for a computer I use on my laptop (that I want to encrypt because it might get stollen), and copied the dataset to a computer used with my familly, and they don't want to bother typing a password when booting the computer… yet, it does not hurt having blocks encrypted. But I can't really change the mount script as it is performed automatically by my OS at startup, and I don't want to mess with it as it may change when I upgrade… |
Describe the feature would like to see added to OpenZFS
It would be nice to be allowed to remove encryption without decrypting the whole disk via a costly
zfs send
(which might not even be possible when lacking space).I was hoping that setting a
change-key
to the empty passphrase would allow ZFS to automatically open the pool without asking for the password… unfortunately I cannot even type an empty passphrase as it has fewer than 8 characters.How will this feature improve OpenZFS?
Allowing users to remove an encryption on a dataset can be a really practical.
Additional context
See also https://unix.stackexchange.com/questions/771933/zfs-remove-password/772133#772133
I think that right now it might be possible to use
keylocation
and put the key in the file system to emulate the above solution, but not really practical.A possible implementation might be to directly sue a dummy encryption key (either empty or like
AAAAAAAA
) stored as a property of the dataset that would be automatically tried when loading a dataset.The text was updated successfully, but these errors were encountered: