xref: /freebsd/sys/contrib/openzfs/man/man8/zfs-redact.8 (revision c1d255d3ffdbe447de3ab875bf4e7d7accc5bfc5)
1.\"
2.\" CDDL HEADER START
3.\"
4.\" The contents of this file are subject to the terms of the
5.\" Common Development and Distribution License (the "License").
6.\" You may not use this file except in compliance with the License.
7.\"
8.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9.\" or http://www.opensolaris.org/os/licensing.
10.\" See the License for the specific language governing permissions
11.\" and limitations under the License.
12.\"
13.\" When distributing Covered Code, include this CDDL HEADER in each
14.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15.\" If applicable, add the following below this CDDL HEADER, with the
16.\" fields enclosed by brackets "[]" replaced with your own identifying
17.\" information: Portions Copyright [yyyy] [name of copyright owner]
18.\"
19.\" CDDL HEADER END
20.\"
21.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
22.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org>
23.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved.
24.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
25.\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
26.\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
27.\" Copyright (c) 2014 Integros [integros.com]
28.\" Copyright 2019 Richard Laager. All rights reserved.
29.\" Copyright 2018 Nexenta Systems, Inc.
30.\" Copyright 2019 Joyent, Inc.
31.\"
32.Dd April 15, 2021
33.Dt ZFS-SEND 8
34.Os
35.
36.Sh NAME
37.Nm zfs-send
38.Nd generate backup stream of ZFS dataset
39.Sh SYNOPSIS
40.Nm zfs
41.Cm send
42.Op Fl DLPRbcehnpsvw
43.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot
44.Ar snapshot
45.Nm zfs
46.Cm send
47.Op Fl DLPcensvw
48.Op Fl i Ar snapshot Ns | Ns Ar bookmark
49.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
50.Nm zfs
51.Cm send
52.Fl -redact Ar redaction_bookmark
53.Op Fl DLPcenpv
54.Op Fl i Ar snapshot Ns | Ns Ar bookmark
55.Ar snapshot
56.Nm zfs
57.Cm send
58.Op Fl Penv
59.Fl t
60.Ar receive_resume_token
61.Nm zfs
62.Cm send
63.Op Fl Pnv
64.Fl S Ar filesystem
65.Nm zfs
66.Cm redact
67.Ar snapshot redaction_bookmark
68.Ar redaction_snapshot Ns …
69.
70.Sh DESCRIPTION
71.Bl -tag -width ""
72.It Xo
73.Nm zfs
74.Cm send
75.Op Fl DLPRbcehnpvw
76.Op Oo Fl I Ns | Ns Fl i Oc Ar snapshot
77.Ar snapshot
78.Xc
79Creates a stream representation of the second
80.Ar snapshot ,
81which is written to standard output.
82The output can be redirected to a file or to a different system
83.Po for example, using
84.Xr ssh 1
85.Pc .
86By default, a full stream is generated.
87.Bl -tag -width "-D"
88.It Fl D , -dedup
89Deduplicated send is no longer supported.
90This flag is accepted for backwards compatibility, but a regular,
91non-deduplicated stream will be generated.
92.It Fl I Ar snapshot
93Generate a stream package that sends all intermediary snapshots from the first
94snapshot to the second snapshot.
95For example,
96.Fl I Em @a Em fs@d
97is similar to
98.Fl i Em @a Em fs@b Ns \&; Fl i Em @b Em fs@c Ns \&; Fl i Em @c Em fs@d .
99The incremental source may be specified as with the
100.Fl i
101option.
102.It Fl L , -large-block
103Generate a stream which may contain blocks larger than 128KB.
104This flag has no effect if the
105.Sy large_blocks
106pool feature is disabled, or if the
107.Sy recordsize
108property of this filesystem has never been set above 128KB.
109The receiving system must have the
110.Sy large_blocks
111pool feature enabled as well.
112See
113.Xr zpool-features 7
114for details on ZFS feature flags and the
115.Sy large_blocks
116feature.
117.It Fl P , -parsable
118Print machine-parsable verbose information about the stream package generated.
119.It Fl R , -replicate
120Generate a replication stream package, which will replicate the specified
121file system, and all descendent file systems, up to the named snapshot.
122When received, all properties, snapshots, descendent file systems, and clones
123are preserved.
124.Pp
125If the
126.Fl i
127or
128.Fl I
129flags are used in conjunction with the
130.Fl R
131flag, an incremental replication stream is generated.
132The current values of properties, and current snapshot and file system names are
133set when the stream is received.
134If the
135.Fl F
136flag is specified when this stream is received, snapshots and file systems that
137do not exist on the sending side are destroyed.
138If the
139.Fl R
140flag is used to send encrypted datasets, then
141.Fl w
142must also be specified.
143.It Fl e , -embed
144Generate a more compact stream by using
145.Sy WRITE_EMBEDDED
146records for blocks which are stored more compactly on disk by the
147.Sy embedded_data
148pool feature.
149This flag has no effect if the
150.Sy embedded_data
151feature is disabled.
152The receiving system must have the
153.Sy embedded_data
154feature enabled.
155If the
156.Sy lz4_compress
157feature is active on the sending system, then the receiving system must have
158that feature enabled as well.
159Datasets that are sent with this flag may not be
160received as an encrypted dataset, since encrypted datasets cannot use the
161.Sy embedded_data
162feature.
163See
164.Xr zpool-features 7
165for details on ZFS feature flags and the
166.Sy embedded_data
167feature.
168.It Fl b , -backup
169Sends only received property values whether or not they are overridden by local
170settings, but only if the dataset has ever been received.
171Use this option when you want
172.Nm zfs Cm receive
173to restore received properties backed up on the sent dataset and to avoid
174sending local settings that may have nothing to do with the source dataset,
175but only with how the data is backed up.
176.It Fl c , -compressed
177Generate a more compact stream by using compressed WRITE records for blocks
178which are compressed on disk and in memory
179.Po see the
180.Sy compression
181property for details
182.Pc .
183If the
184.Sy lz4_compress
185feature is active on the sending system, then the receiving system must have
186that feature enabled as well.
187If the
188.Sy large_blocks
189feature is enabled on the sending system but the
190.Fl L
191option is not supplied in conjunction with
192.Fl c ,
193then the data will be decompressed before sending so it can be split into
194smaller block sizes.
195Streams sent with
196.Fl c
197will not have their data recompressed on the receiver side using
198.Fl o Sy compress Ns = Ar value .
199The data will stay compressed as it was from the sender.
200The new compression property will be set for future data.
201.It Fl w , -raw
202For encrypted datasets, send data exactly as it exists on disk.
203This allows backups to be taken even if encryption keys are not currently loaded.
204The backup may then be received on an untrusted machine since that machine will
205not have the encryption keys to read the protected data or alter it without
206being detected.
207Upon being received, the dataset will have the same encryption
208keys as it did on the send side, although the
209.Sy keylocation
210property will be defaulted to
211.Sy prompt
212if not otherwise provided.
213For unencrypted datasets, this flag will be equivalent to
214.Fl Lec .
215Note that if you do not use this flag for sending encrypted datasets, data will
216be sent unencrypted and may be re-encrypted with a different encryption key on
217the receiving system, which will disable the ability to do a raw send to that
218system for incrementals.
219.It Fl h , -holds
220Generate a stream package that includes any snapshot holds (created with the
221.Nm zfs Cm hold
222command), and indicating to
223.Nm zfs Cm receive
224that the holds be applied to the dataset on the receiving system.
225.It Fl i Ar snapshot
226Generate an incremental stream from the first
227.Ar snapshot
228.Pq the incremental source
229to the second
230.Ar snapshot
231.Pq the incremental target .
232The incremental source can be specified as the last component of the snapshot
233name
234.Po the
235.Sy @
236character and following
237.Pc
238and it is assumed to be from the same file system as the incremental target.
239.Pp
240If the destination is a clone, the source may be the origin snapshot, which must
241be fully specified
242.Po for example,
243.Em pool/fs@origin ,
244not just
245.Em @origin
246.Pc .
247.It Fl n , -dryrun
248Do a dry-run
249.Pq Qq No-op
250send.
251Do not generate any actual send data.
252This is useful in conjunction with the
253.Fl v
254or
255.Fl P
256flags to determine what data will be sent.
257In this case, the verbose output will be written to standard output
258.Po contrast with a non-dry-run, where the stream is written to standard output
259and the verbose output goes to standard error
260.Pc .
261.It Fl p , -props
262Include the dataset's properties in the stream.
263This flag is implicit when
264.Fl R
265is specified.
266The receiving system must also support this feature.
267Sends of encrypted datasets must use
268.Fl w
269when using this flag.
270.It Fl s , -skip-missing
271Allows sending a replication stream even when there are snapshots missing in the
272hierarchy.
273When a snapshot is missing, instead of throwing an error and aborting the send,
274a warning is printed to the standard error stream and the dataset to which it belongs
275and its descendents are skipped.
276This flag can only be used in conjunction with
277.Fl R .
278.It Fl v , -verbose
279Print verbose information about the stream package generated.
280This information includes a per-second report of how much data has been sent.
281.Pp
282The format of the stream is committed.
283You will be able to receive your streams on future versions of ZFS.
284.El
285.It Xo
286.Nm zfs
287.Cm send
288.Op Fl DLPcenvw
289.Op Fl i Ar snapshot Ns | Ns Ar bookmark
290.Ar filesystem Ns | Ns Ar volume Ns | Ns Ar snapshot
291.Xc
292Generate a send stream, which may be of a filesystem, and may be incremental
293from a bookmark.
294If the destination is a filesystem or volume, the pool must be read-only, or the
295filesystem must not be mounted.
296When the stream generated from a filesystem or volume is received, the default
297snapshot name will be
298.Qq --head-- .
299.Bl -tag -width "-D"
300.It Fl D , -dedup
301Deduplicated send is no longer supported.
302This flag is accepted for backwards compatibility, but a regular,
303non-deduplicated stream will be generated.
304.It Fl L , -large-block
305Generate a stream which may contain blocks larger than 128KB.
306This flag has no effect if the
307.Sy large_blocks
308pool feature is disabled, or if the
309.Sy recordsize
310property of this filesystem has never been set above 128KB.
311The receiving system must have the
312.Sy large_blocks
313pool feature enabled as well.
314See
315.Xr zpool-features 7
316for details on ZFS feature flags and the
317.Sy large_blocks
318feature.
319.It Fl P , -parsable
320Print machine-parsable verbose information about the stream package generated.
321.It Fl c , -compressed
322Generate a more compact stream by using compressed WRITE records for blocks
323which are compressed on disk and in memory
324.Po see the
325.Sy compression
326property for details
327.Pc .
328If the
329.Sy lz4_compress
330feature is active on the sending system, then the receiving system must have
331that feature enabled as well.
332If the
333.Sy large_blocks
334feature is enabled on the sending system but the
335.Fl L
336option is not supplied in conjunction with
337.Fl c ,
338then the data will be decompressed before sending so it can be split into
339smaller block sizes.
340.It Fl w , -raw
341For encrypted datasets, send data exactly as it exists on disk.
342This allows backups to be taken even if encryption keys are not currently loaded.
343The backup may then be received on an untrusted machine since that machine will
344not have the encryption keys to read the protected data or alter it without
345being detected.
346Upon being received, the dataset will have the same encryption
347keys as it did on the send side, although the
348.Sy keylocation
349property will be defaulted to
350.Sy prompt
351if not otherwise provided.
352For unencrypted datasets, this flag will be equivalent to
353.Fl Lec .
354Note that if you do not use this flag for sending encrypted datasets, data will
355be sent unencrypted and may be re-encrypted with a different encryption key on
356the receiving system, which will disable the ability to do a raw send to that
357system for incrementals.
358.It Fl e , -embed
359Generate a more compact stream by using
360.Sy WRITE_EMBEDDED
361records for blocks which are stored more compactly on disk by the
362.Sy embedded_data
363pool feature.
364This flag has no effect if the
365.Sy embedded_data
366feature is disabled.
367The receiving system must have the
368.Sy embedded_data
369feature enabled.
370If the
371.Sy lz4_compress
372feature is active on the sending system, then the receiving system must have
373that feature enabled as well.
374Datasets that are sent with this flag may not be received as an encrypted dataset,
375since encrypted datasets cannot use the
376.Sy embedded_data
377feature.
378See
379.Xr zpool-features 7
380for details on ZFS feature flags and the
381.Sy embedded_data
382feature.
383.It Fl i Ar snapshot Ns | Ns Ar bookmark
384Generate an incremental send stream.
385The incremental source must be an earlier snapshot in the destination's history.
386It will commonly be an earlier snapshot in the destination's file system, in
387which case it can be specified as the last component of the name
388.Po the
389.Sy #
390or
391.Sy @
392character and following
393.Pc .
394.Pp
395If the incremental target is a clone, the incremental source can be the origin
396snapshot, or an earlier snapshot in the origin's filesystem, or the origin's
397origin, etc.
398.It Fl n , -dryrun
399Do a dry-run
400.Pq Qq No-op
401send.
402Do not generate any actual send data.
403This is useful in conjunction with the
404.Fl v
405or
406.Fl P
407flags to determine what data will be sent.
408In this case, the verbose output will be written to standard output
409.Po contrast with a non-dry-run, where the stream is written to standard output
410and the verbose output goes to standard error
411.Pc .
412.It Fl v , -verbose
413Print verbose information about the stream package generated.
414This information includes a per-second report of how much data has been sent.
415.El
416.It Xo
417.Nm zfs
418.Cm send
419.Fl -redact Ar redaction_bookmark
420.Op Fl DLPcenpv
421.Op Fl i Ar snapshot Ns | Ns Ar bookmark
422.Ar snapshot
423.Xc
424Generate a redacted send stream.
425This send stream contains all blocks from the snapshot being sent that aren't
426included in the redaction list contained in the bookmark specified by the
427.Fl -redact
428(or
429.Fl d )
430flag.
431The resulting send stream is said to be redacted with respect to the snapshots
432the bookmark specified by the
433.Fl -redact No flag was created with.
434The bookmark must have been created by running
435.Nm zfs Cm redact
436on the snapshot being sent.
437.Pp
438This feature can be used to allow clones of a filesystem to be made available on
439a remote system, in the case where their parent need not (or needs to not) be
440usable.
441For example, if a filesystem contains sensitive data, and it has clones where
442that sensitive data has been secured or replaced with dummy data, redacted sends
443can be used to replicate the secured data without replicating the original
444sensitive data, while still sharing all possible blocks.
445A snapshot that has been redacted with respect to a set of snapshots will
446contain all blocks referenced by at least one snapshot in the set, but will
447contain none of the blocks referenced by none of the snapshots in the set.
448In other words, if all snapshots in the set have modified a given block in the
449parent, that block will not be sent; but if one or more snapshots have not
450modified a block in the parent, they will still reference the parent's block, so
451that block will be sent.
452Note that only user data will be redacted.
453.Pp
454When the redacted send stream is received, we will generate a redacted
455snapshot.
456Due to the nature of redaction, a redacted dataset can only be used in the
457following ways:
458.Bl -enum -width "a."
459.It
460To receive, as a clone, an incremental send from the original snapshot to one
461of the snapshots it was redacted with respect to.
462In this case, the stream will produce a valid dataset when received because all
463blocks that were redacted in the parent are guaranteed to be present in the
464child's send stream.
465This use case will produce a normal snapshot, which can be used just like other
466snapshots.
467.
468.It
469To receive an incremental send from the original snapshot to something
470redacted with respect to a subset of the set of snapshots the initial snapshot
471was redacted with respect to.
472In this case, each block that was redacted in the original is still redacted
473(redacting with respect to additional snapshots causes less data to be redacted
474(because the snapshots define what is permitted, and everything else is
475redacted)).
476This use case will produce a new redacted snapshot.
477.It
478To receive an incremental send from a redaction bookmark of the original
479snapshot that was created when redacting with respect to a subset of the set of
480snapshots the initial snapshot was created with respect to
481anything else.
482A send stream from such a redaction bookmark will contain all of the blocks
483necessary to fill in any redacted data, should it be needed, because the sending
484system is aware of what blocks were originally redacted.
485This will either produce a normal snapshot or a redacted one, depending on
486whether the new send stream is redacted.
487.It
488To receive an incremental send from a redacted version of the initial
489snapshot that is redacted with respect to a subject of the set of snapshots the
490initial snapshot was created with respect to.
491A send stream from a compatible redacted dataset will contain all of the blocks
492necessary to fill in any redacted data.
493This will either produce a normal snapshot or a redacted one, depending on
494whether the new send stream is redacted.
495.It
496To receive a full send as a clone of the redacted snapshot.
497Since the stream is a full send, it definitionally contains all the data needed
498to create a new dataset.
499This use case will either produce a normal snapshot or a redacted one, depending
500on whether the full send stream was redacted.
501.El
502.Pp
503These restrictions are detected and enforced by
504.Nm zfs Cm receive ;
505a redacted send stream will contain the list of snapshots that the stream is
506redacted with respect to.
507These are stored with the redacted snapshot, and are used to detect and
508correctly handle the cases above.
509Note that for technical reasons,
510raw sends and redacted sends cannot be combined at this time.
511.It Xo
512.Nm zfs
513.Cm send
514.Op Fl Penv
515.Fl t
516.Ar receive_resume_token
517.Xc
518Creates a send stream which resumes an interrupted receive.
519The
520.Ar receive_resume_token
521is the value of this property on the filesystem or volume that was being
522received into.
523See the documentation for
524.Nm zfs Cm receive Fl s
525for more details.
526.It Xo
527.Nm zfs
528.Cm send
529.Op Fl Pnv
530.Op Fl i Ar snapshot Ns | Ns Ar bookmark
531.Fl S
532.Ar filesystem
533.Xc
534Generate a send stream from a dataset that has been partially received.
535.Bl -tag -width "-L"
536.It Fl S , -saved
537This flag requires that the specified filesystem previously received a resumable
538send that did not finish and was interrupted.
539In such scenarios this flag
540enables the user to send this partially received state.
541Using this flag will always use the last fully received snapshot
542as the incremental source if it exists.
543.El
544.It Xo
545.Nm zfs
546.Cm redact
547.Ar snapshot redaction_bookmark
548.Ar redaction_snapshot Ns …
549.Xc
550Generate a new redaction bookmark.
551In addition to the typical bookmark information, a redaction bookmark contains
552the list of redacted blocks and the list of redaction snapshots specified.
553The redacted blocks are blocks in the snapshot which are not referenced by any
554of the redaction snapshots.
555These blocks are found by iterating over the metadata in each redaction snapshot
556to determine what has been changed since the target snapshot.
557Redaction is designed to support redacted zfs sends; see the entry for
558.Nm zfs Cm send
559for more information on the purpose of this operation.
560If a redact operation fails partway through (due to an error or a system
561failure), the redaction can be resumed by rerunning the same command.
562.El
563.Ss Redaction
564ZFS has support for a limited version of data subsetting, in the form of
565redaction.
566Using the
567.Nm zfs Cm redact
568command, a
569.Sy redaction bookmark
570can be created that stores a list of blocks containing sensitive information.
571When provided to
572.Nm zfs Cm send ,
573this causes a
574.Sy redacted send
575to occur.
576Redacted sends omit the blocks containing sensitive information,
577replacing them with REDACT records.
578When these send streams are received, a
579.Sy redacted dataset
580is created.
581A redacted dataset cannot be mounted by default, since it is incomplete.
582It can be used to receive other send streams.
583In this way datasets can be used for data backup and replication,
584with all the benefits that zfs send and receive have to offer,
585while protecting sensitive information from being
586stored on less-trusted machines or services.
587.Pp
588For the purposes of redaction, there are two steps to the process.
589A redact step, and a send/receive step.
590First, a redaction bookmark is created.
591This is done by providing the
592.Nm zfs Cm redact
593command with a parent snapshot, a bookmark to be created, and a number of
594redaction snapshots.
595These redaction snapshots must be descendants of the parent snapshot,
596and they should modify data that is considered sensitive in some way.
597Any blocks of data modified by all of the redaction snapshots will
598be listed in the redaction bookmark, because it represents the truly sensitive
599information.
600When it comes to the send step, the send process will not send
601the blocks listed in the redaction bookmark, instead replacing them with
602REDACT records.
603When received on the target system, this will create a
604redacted dataset, missing the data that corresponds to the blocks in the
605redaction bookmark on the sending system.
606The incremental send streams from
607the original parent to the redaction snapshots can then also be received on
608the target system, and this will produce a complete snapshot that can be used
609normally.
610Incrementals from one snapshot on the parent filesystem and another
611can also be done by sending from the redaction bookmark, rather than the
612snapshots themselves.
613.Pp
614In order to make the purpose of the feature more clear, an example is provided.
615Consider a zfs filesystem containing four files.
616These files represent information for an online shopping service.
617One file contains a list of usernames and passwords, another contains purchase histories,
618a third contains click tracking data, and a fourth contains user preferences.
619The owner of this data wants to make it available for their development teams to
620test against, and their market research teams to do analysis on.
621The development teams need information about user preferences and the click
622tracking data, while the market research teams need information about purchase
623histories and user preferences.
624Neither needs access to the usernames and passwords.
625However, because all of this data is stored in one ZFS filesystem,
626it must all be sent and received together.
627In addition, the owner of the data
628wants to take advantage of features like compression, checksumming, and
629snapshots, so they do want to continue to use ZFS to store and transmit their data.
630Redaction can help them do so.
631First, they would make two clones of a snapshot of the data on the source.
632In one clone, they create the setup they want their market research team to see;
633they delete the usernames and passwords file,
634and overwrite the click tracking data with dummy information.
635In another, they create the setup they want the development teams
636to see, by replacing the passwords with fake information and replacing the
637purchase histories with randomly generated ones.
638They would then create a redaction bookmark on the parent snapshot,
639using snapshots on the two clones as redaction snapshots.
640The parent can then be sent, redacted, to the target
641server where the research and development teams have access.
642Finally, incremental sends from the parent snapshot to each of the clones can be sent
643to and received on the target server; these snapshots are identical to the
644ones on the source, and are ready to be used, while the parent snapshot on the
645target contains none of the username and password data present on the source,
646because it was removed by the redacted send operation.
647.
648.Sh SEE ALSO
649.Xr zfs-bookmark 8 ,
650.Xr zfs-receive 8 ,
651.Xr zfs-redact 8 ,
652.Xr zfs-snapshot 8
653