man: Add entries for encryption on, off, and re-encrypt

mulkieran · mulkieran · commit 2e2c6ff21812 · 2026-01-15T11:03:10.000-05:00
Signed-off-by: mulhern &lt;amulhern@redhat.com&gt;
diff --git a/docs/stratis.txt b/docs/stratis.txt
@@ -117,6 +117,18 @@ pool unbind <(clevis|keyring)> <pool name> [--token-slot <token slot>]::
      mechanism. MOVE NOTICE: The "unbind" subcommand can also be found under
      the "pool encryption" subcommand. The "pool unbind" subcommand that you
      are using now is deprecated and will be removed in stratis 3.10.0.
+pool encryption on --in-place <(--uuid <uuid> |--name <name>)> [--key-desc <key_desc>] [--clevis <(nbde|tang|tpm2)> [--tang-url <tang_url>] [<(--thumbprint <thp> | --trust-url)>]::
+     Turn encryption on for the specified pool. This operation must encrypt
+     every block in the pool and takes time proportional to the size of the
+     pool.
+pool encryption off --in-place <(--uuid <uuid> |--name <name>)>::
+     Turn encryption off for the specified pool. This operation must write
+     the plain text of every block in the pool and takes time proportional to
+     the size of the pool.
+pool encryption reencrypt --in-place <(--uuid <uuid> |--name <name>)>::
+     Reencrypt the pool with a new master key. This operation must overwrite
+     every block in the pool with re-encrypted data and takes time
+     proportional to the size of the pool.
 pool encryption bind <(nbde|tang)> <(--uuid <uuid> |--name <name>)> <(--thumbprint <thp> | --trust-url)> <url>::
      Bind the devices in the specified pool to a supplementary encryption
      mechanism that uses NBDE (Network-Bound Disc Encryption). *tang* is
@@ -262,6 +274,20 @@ OPTIONS
 --token-slot <token slot> ::
         For V2 pools only. Use the token slot number to select among
         different bindings that use the same encryption method.
+--in-place ::
+        This is a mandatory option that must be set when requesting
+        a long-running in-place encryption operation. These operations are
+        a kind that must read and write every block in the pool. Hence these
+        operations take a time that is linear in the size of the pool.
+        Additionally, these operations are run in place, that is, the
+        pool's data blocks are directly modified while it is in use. While
+        the operation is taking place, automatic administrative actions,
+        for example, extending filesystems, can not be taken on the pool.
+        Furthermore, user-initiated actions, such as adding a new device to
+        a pool are also disabled. The pool administrator should therefore
+        ensure that no administrative operations will become urgently
+        necessary while the encryption operation is running. Consider
+        backing up your data before initiating this operation.
 
 
 SIZE SPECIFICATION FORMAT FOR INPUT
