I encrypted a dataset using a Passphrase. It is always encrypted unless I decrypt it for a short period of time. When doing a cloud sync task I notice that the dataset is not synced to the cloud provider, while the decrypted datasets are.
Is this normal behavior or did I do something wrong?
Can this behavior be overwritten, so that encrypted data is synced to the cloud while never needing to be decrypted?
If not, what are some alternatives I could consider?
Most backup solutions are not ZFS aware. If the encrypted dataset is not un-locked at the time of a backup, nothing is available for normal backup solutions.
The exception to this is ZFS Send & Receive. A ZFS Send can send a locked, encrypted dataset to a remote ZFS server. That remote ZFS server can at a later date, be used to un-lock the encrypted dataset. But, at no time is the data de-crypted, either in the network stream or on the remote ZFS server. (Unless you manually un-lock it.) I don’t recall if incremental backups can work with this method.
Another method for backing up an encrypted dataset, is to use ZFS Send and simply capture it’s output. Meaning if you have a 1TB encrypted dataset, you would create a 1TB file on the backup solution. Something like this:
zfs send -Rpv POOL/CYRPT_DS | \
ssh REMOTE_SERVER dd bs=64k of=/MY/BK/PATH/POOL_CRYPT_DS.zfs
To restore, something like:
ssh REMOTE_SERVER dd bs=64k if=/MY/BK/PATH/POOL_CRYPT_DS.zfs | \
zfs receive -dFu POOL
This method does not allow incremental backups because the data is encrypted, and not available for normal incremental copies. In theory, their may be methods to perform incremental copies, I just don’t know or use them in this context.