TrueNAS backups

Ofloo

Explorer
Joined
Jun 11, 2020
Messages
60
I have encrypted zfs storage and I back this up encrypted to backblaze, when I start my system I provide an key to decrypt the pool. However the encryption key of the backup is just stored in plain text. So if someone where to steal my system they could obtain access to the pool data from just restoring from cloud they have the decryption key, to do so.

So I was wondering isn't there a way to backup raw zfs blocks which are encrypted by default to the cloud?
 
Joined
Oct 22, 2019
Messages
3,641
So I was wondering isn't there a way to backup raw zfs blocks which are encrypted by default to the cloud?

rsync.net supports raw ZFS streams.

It's on the pricier side, however.

For example, 4TB of storage lands you at $100 per month.
 

Ofloo

Explorer
Joined
Jun 11, 2020
Messages
60
I'm sorry but do you honestly believe that's a good deal? backblaze 1.5tb and i'm paying 8usd, .. same ratio would be about 21usd. that's almost 5 times the price.

For that money i can better rent a dedicated server set up my own on ovh or something.


just saw hetzner 4x10tb drives for 55.57euro that's basically half the price and yet 10times the storage, .. you could make a 20TB mirror out of that. Come to think of it backblaze is expensive as well.
 
Last edited:
Joined
Oct 22, 2019
Messages
3,641
I agree, it's very pricey. :frown:

But I don't know of other viable cloud options that support ZFS raw streams.
 

awasb

Patron
Joined
Jan 11, 2021
Messages
415
I‘d change encryption „layout“ before I‘d try to switch backup platforms.

I use pools with keys and within those pools some (child-)datasets (put aside iocages etc.) with passphrases.

The keys save me „secure erase“ of data disks on swap/replace/sale. The passphrases protect the „cold“ data. (Offsite backups included.)

Those „critical“ datasets’ passphrases are stored in a password-manager. The master passphrase is in my head. It‘s a bit of work to bring all services up again after a reboot. But then, twice a year …
 
Joined
Oct 22, 2019
Messages
3,641
I‘d change encryption „layout“ before I‘d try to switch backup platforms.
The issue is that there's a separate encryption (and master key) used for Cloud Sync Tasks in TrueNAS.

It's nothing to do with ZFS or datasets.

@Ofloo is bringing up the fact that this keyfile/passphrase is stored on the TrueNAS boot device (plain), which is used to encrypt/decrypt on-the-fly for a Cloud Sync Task. (It allows TrueNAS to automate cloud syncs, without the user manually inputting a passphrase every time.)

That's why the question of using raw ZFS streams for backups for Cloud storage was brought up.
 

awasb

Patron
Joined
Jan 11, 2021
Messages
415
Ah. Didn‘t get that. Sorry. And thanks for the explanation.
 

Ofloo

Explorer
Joined
Jun 11, 2020
Messages
60
winnielinnie exactly. Or maybe there's a way to store raw blocks into cloud storage that would solve this issue as well, only not sure if that's supported by truenas. Because I vaguely remember you can do zfs send and tar it? But maybe that's already in the decrypted layer.

edit: This seems more acceptable https://zfs.rent/pricing.html
 
Last edited:
Top