TrueNAS backups

[Ofloo]

I have encrypted zfs storage and I back this up encrypted to backblaze, when I start my system I provide an key to decrypt the pool. However the encryption key of the backup is just stored in plain text. So if someone where to steal my system they could obtain access to the pool data from just restoring from cloud they have the decryption key, to do so.

So I was wondering isn't there a way to backup raw zfs blocks which are encrypted by default to the cloud?

 

[winnielinnie]

So I was wondering isn't there a way to backup raw zfs blocks which are encrypted by default to the cloud?

rsync.net supports raw ZFS streams.

It's on the pricier side, however.

For example, 4TB of storage lands you at $100 per month.

 

[Ofloo]

I'm sorry but do you honestly believe that's a good deal? backblaze 1.5tb and i'm paying 8usd, .. same ratio would be about 21usd. that's almost 5 times the price.

For that money i can better rent a dedicated server set up my own on ovh or something.

Dedicated servers

Heeft u een krachtige dedicated server nodig? Ontdek alle professionele Bare Metal-servers.

www.soyoustart.com

just saw hetzner 4x10tb drives for 55.57euro that's basically half the price and yet 10times the storage, .. you could make a 20TB mirror out of that. Come to think of it backblaze is expensive as well.

 

[winnielinnie]

I agree, it's very pricey.

But I don't know of other viable cloud options that support ZFS raw streams.

 

[awasb]

I‘d change encryption „layout“ before I‘d try to switch backup platforms.

I use pools with keys and within those pools some (child-)datasets (put aside iocages etc.) with passphrases.

The keys save me „secure erase“ of data disks on swap/replace/sale. The passphrases protect the „cold“ data. (Offsite backups included.)

Those „critical“ datasets’ passphrases are stored in a password-manager. The master passphrase is in my head. It‘s a bit of work to bring all services up again after a reboot. But then, twice a year …

 

[winnielinnie]

I‘d change encryption „layout“ before I‘d try to switch backup platforms.

The issue is that there's a separate encryption (and master key) used for Cloud Sync Tasks in TrueNAS.

It's nothing to do with ZFS or datasets.

@Ofloo is bringing up the fact that this keyfile/passphrase is stored on the TrueNAS boot device (plain), which is used to encrypt/decrypt on-the-fly for a Cloud Sync Task. (It allows TrueNAS to automate cloud syncs, without the user manually inputting a passphrase every time.)

That's why the question of using raw ZFS streams for backups for Cloud storage was brought up.

 

[awasb]

Ah. Didn‘t get that. Sorry. And thanks for the explanation.

 

[Ofloo]

winnielinnie exactly. Or maybe there's a way to store raw blocks into cloud storage that would solve this issue as well, only not sure if that's supported by truenas. Because I vaguely remember you can do zfs send and tar it? But maybe that's already in the decrypted layer.

edit: This seems more acceptable https://zfs.rent/pricing.html