I’m setting up a backup NAS to place at an offsite location. I want to have it encrypted, but at the same time I want to pull the replications from the offsite NAS to leave it without an open door for attackers to reach the backup.
When trying to set up the replication task encrypted, though, it looks like the key must be hosted on the target. At least that’s what the GUI says. Is this really true? The target is the backup machine itself, as I’m pulling from the source to the target. It makes no sense to have the decryption key on the same machine as the encrypted datasets. I want to have the key stored on the source, that is my primary NAS.
I am currently working on setting up similar setup, but with syncoid. Please let me know, if that’s of your interest and comfortable doing it without GUI, we could discuss on how to setup further.
I found a solution that makes sense. My first idea was to leave my primary NAS unencrypted, only encrypting the backup NAS, but that way I ran in to the issue in the original post. The solution I have invested in is to have my primary NAS encrypted, but with the key on the NAS for transparent automatic decryption at startup, effectively leaving it unencrypted. The nice thing with this is that the backup will pull the encrypted blocks without ever needing to decrypt them. Still supporting delta snapshots. ZFS is really cool.
