Restore Encrypted Cloud Sync

[House Of Cards]

So, just curious. Now that I'm uploading all my datasets to Backblaze B2 buckets, nice and encrypted... how does one recover them?

It's all downloadable from Backblaze, but it's encrypted gobbledigook. Since this is a great way to backup, I need to know how you'd restore things? I don't see any mention in the docs...

Thanks!

 

[House Of Cards]

The official reply from BackBlaze.

Hi there,

You'd have to download the files through the FreeNAS integration and use whatever encryption tool they provide to decrypt the files.

Regards,
Zack - Meet me!
Backblaze Best Practices
The Backblaze Team

 

[Constantin]

All I can say is: good luck!
Unless you can confirm that it actually works, you may be better off using your desktop as a sender and receiver of said files. At least then you know the format, can test, etc.

 

[House Of Cards]

I'm wondering if creating a new sync task and selecting "pull" works? Maybe pull from to a new dataset... It seems nobody knows how to use the restore feature they built in. They said "look, you can back up encrypted". So how do I recover? Crickets...

I'll try that once the backups have finished. Hopefully I didn't upload terabytes of stuff for nothing.

 

[ppateel]

I'm wondering if creating a new sync task and selecting "pull" works? Maybe pull from to a new dataset... It seems nobody knows how to use the restore feature they built in. They said "look, you can back up encrypted". So how do I recover? Crickets...

I'll try that once the backups have finished. Hopefully I didn't upload terabytes of stuff for nothing.

I am in the same boat. I set up an encrypted backup to Backblaze B2 successfully and was researching restore solutions and am unable to find one yet. In my experience the backup strategy is not complete if I am not able to test restore function. I have really bad experience even in my work dealing with a "write only" backup solution.

I am a little bit uncomfortable if the only solution is to use FreeNAS to restore. But there should be a way to restore the files independent of FreeNAS. I am worried about a hypothetical situation where I have backed up tons of data and I want to restore without using FreeNAS and would not be able to do so. In my opinion my backups should not be tied to a particular software. This is going back to the old school tape backup systems by Seagate etc. where you are dead if you do not have their proprietary software to restore.

Any help or a reference to do this would be really appreciated.

 

[Constantin]

One option is to rely on a manual, encrypted backup in a native (i.e. non-ZFS format) that you rotate to an off-site location.

The benefit is that you know that the files are accessible (they will be windows, mac, whatever native) and you can rely on encryption methods that are not proprietary (i.e. potentially inaccessible in the future). Downsides include the work in staying vigilant re: getting the backups done, potential for lost work (depending on how often you rotate), and bit rot (though some programs like Carbon Copy Cloner give you the option to scrub the destination as part of the copy process). Also, transporting media frequently will likely negatively impact the disk drive life for the media in question.

Plus, the above only works to a point, especially if your data is hosted in a data center. Hard drives are pretty dense, so transporting a lot of them is less than fun. I want to get a second ZFS server set up and start pushing snapshots, etc. between the primary and the backup. However, unlike the demi-gods here, I have no experience with getting it set up to work safely and reliably. So it will be a slow and deliberate process...

 

[House Of Cards]

I am in the same boat. I set up an encrypted backup to Backblaze B2 successfully and was researching restore solutions and am unable to find one yet. In my experience the backup strategy is not complete if I am not able to test restore function. I have really bad experience even in my work dealing with a "write only" backup solution.

I am a little bit uncomfortable if the only solution is to use FreeNAS to restore. But there should be a way to restore the files independent of FreeNAS. I am worried about a hypothetical situation where I have backed up tons of data and I want to restore without using FreeNAS and would not be able to do so. In my opinion my backups should not be tied to a particular software. This is going back to the old school tape backup systems by Seagate etc. where you are dead if you do not have their proprietary software to restore.

Any help or a reference to do this would be really appreciated.

My uploads are not done, so I can't try yet. Maybe you can try this if yours are done...?

My thought is that we can create a new dataset. Let's call it RECOVERY. Go into cloud sync tasks in FreeNAS and make a new sync and select "PULL" as the direction. Pick your online bucket and "pull" it to the RECOVERY dataset. Let me know if you're able to try that. Otherwise, I'll try once my backups are done in a few days.

Happy holidays!!

 

[House Of Cards]

Created a feature request.

https://redmine.ixsystems.com/issues/65970

 

[ppateel]

My uploads are not done, so I can't try yet. Maybe you can try this if yours are done...?

My thought is that we can create a new dataset. Let's call it RECOVERY. Go into cloud sync tasks in FreeNAS and make a new sync and select "PULL" as the direction. Pick your online bucket and "pull" it to the RECOVERY dataset. Let me know if you're able to try that. Otherwise, I'll try once my backups are done in a few days.

Happy holidays!!

I was able to restore using a pull job using the same password and salt and it did restore all the files onto a separate dir on the same volume and the files names and the content were properly decrypted. In that sense, if you have a FreeNAS installation, it seems easy enough to restore. Now I have to dig into the behind the scenes encryption mechanics and see if it is possible to decrypt the same from a non freeNAS environment.

 

[ppateel]

Also another encouraging aspect I found is that freeNAS uses rclone to do the backup to Backblaze B2. If so it should be possible to install rclone on any machine and as long as I have the password and salt ,I should be able to restore encrypted backups. I will start looking into this when i have some time and will post back my results. I am planning on following the tutorial I found in https://www.andyibanez.com/rclone-encryption-tutorial/

 

[ppateel]

Also another encouraging aspect I found is that freeNAS uses rclone to do the backup to Backblaze B2. If so it should be possible to install rclone on any machine and as long as I have the password and salt ,I should be able to restore encrypted backups. I will start looking into this when i have some time and will post back my results. I am planning on following the tutorial I found in https://www.andyibanez.com/rclone-encryption-tutorial/

Good news, the whole process works beautifully. This is why I love open source and standards.

I was able to configure Backblaze B2 as a remote on my Windows 10 desktop and use the password and salt to set up an encrypted remote on my windows machine and was able to restore the contents of the encrypted backup created from FreeNAS on to my desktop. I used the rclone executable and used command line to complete these tasks. I have not researched if there are any GUI tools for rclone.

Since most of my backups are photos, videos and documents, this process should work. Granted I only tested images and videos. I need to complete my testing with windows binary files like office documents and other windows binaries. I don't expect to run into any issues. Overall, the encrypted backup process meets my requirements and will be using this going forward.

 

[Constantin]

That's great news!

 

[House Of Cards]

Terrific! I was hoping that my theory was correct. I’ve been backing up terabytes for a week now. LOL. Haven’t had a chance to try it yet. Nobody seemed to know the answer, so hopefully this helps.

For me, I’m only concerned with being able to restore the datasets on FreeNAS itself. I can create an occasional local backup for redundancy. I just want an offsite copy and this is a much cleaner solution in my case.

For what it’s worth. I was using CrashPlan and it was messy. To limit my purchase to one machine, I installed CrashPlan on a desktop and mapped all the datasets to that machine. I then pointed CrashPlan to backup the mount points. There were some issues.

First, CrashPlan won’t let you backup different datasets with different rules. Backup your documents once an hour and your rarely modified music dataset backs up once an hour too. Really limited.

Second, my bandwidth suffered this way. The local machine had to download the file from the NAS, encrypt it, then transmit it out the WAN. Using cloud sync, NAS straight out the WAN.

Third, the CrashPlan machine had to be on for a backup to occur. The NAS is on anyhow, so my electric use drops this way.

I find that cloud sync will be really useful for my purposes. I can’t be alone about that. So hopefully this thread will encourage some people to use it for a safe and efficient offsite backup solution.

 

[Pirke]

Hi,
I've been using rclone in a jail on Freenas 9 already, now with 11.2 release, I can get rid of the jail, at least for most of my tasks.

If someone is interested in the rclone config:
When a rclone job is running, on root shell check
ps- A | grep rclone
it will point you to the temp rclone config file for the specific job.

 

[Evertb1]

I'm wondering if creating a new sync task and selecting "pull" works?

I tested that with a test data set and that works good. Just use the appropriate targets and the same encryption key as used in the push task.

 

[Files!]

So if my FreeNAS dies a tragic premature death, I could go get new hardware install FreeNAS, use my backed up config, restore from cloud sync.
Would that put everything back in place for my NextCloud jail?
ALso would the TarSnap plugin be a good soulution for this?

Thanks for the Help!

 

[tobiasbp]

Just for the record: I have also used rclone to successfully decrypt encrypted data stored on Wasabi.

 

[Constantin]

I’d never trust server-side encryption in the cloud. As targets go, a centralized trove of many passwords is simply too juicy. Encrypt before you upload to the cloud, that also covers the data when it’s in flight.

ZFS send/receive works great and its setup wizard is very user friendly. For offsite applications at the consumer level, the key challenge is how to get the two servers to talk to each other without exposing them to the wider internet, if possible. Passwordless ssh login (per the ZFS send/receive wizard default) is a secure way to limit exposure. I'm looking into linking two edgerouters via VPN w/dynamic DNS.