Hello,
I am looking for a solution to rsync a snapshot via SSH to a remote destination (Hetzner Storage Box) which does not support ZFS. The data shall be stored in an encrypted way on the remote server.
How could I do this, especially the part of doing the on-rest encryption?
Is there any way to do this on-the-fly without having to first encrypt all files locally and then to rsync them?
Thanks a lot in advance,
Thomas
Not sure what your Hetzner Storage Box can do, but:
Now the files are unencrypted at the source OS, (TrueNAS), and destination server, but only during the time the file is either read or written from RSync. Whence RSync is done, nothing is unencrypted.
To be clear, at rest encryption has the files unencrypted whence the file system is unlocked. Any hacker that “broke” in, or can use a “share” to it, can read those “at rest encrypted” files. If the server is shutdown, then the disks are “at rest” and the encryption takes over.
If the Hetzner Storage Box can run any normal OS, then you can run Linux with LUKS encrypted disks and put any file system you want on top. Whence the RSync is done, you can drop the encryption, and now the files are inaccessible.
On the other hand, if you don’t trust anything at the destination, TrueNAS does not support sending encrypted files without ZFS. Meaning during the time the files are being written at the destination server, the files are unencrypted. And the file system it’s self appears unencrypted. Just the nature of “at rest encryption”.
Only ZFS Replication, (aka ZFS Send & Receive), support encryption the whole path.
The other option would be to use rclone, if Hetzner supports it, so that the files can be stored encrypted at the cloud destination, without needing access to the underlying filesystem used by the provider.
