I’m setting up a backup NAS to place at an offsite location. I want to have it encrypted, but at the same time I want to pull the replications from the offsite NAS to leave it without an open door for attackers to reach the backup.
When trying to set up the replication task encrypted, though, it looks like the key must be hosted on the target. At least that’s what the GUI says. Is this really true? The target is the backup machine itself, as I’m pulling from the source to the target. It makes no sense to have the decryption key on the same machine as the encrypted datasets. I want to have the key stored on the source, that is my primary NAS.
How should I do this properly?