Passphrase for Automatic backup tasks

Problem/Justification
At the moment there seems to be no way with the normal in the program included means nor any kind of app to make a “Save” automated backup (Without second truenas device).

meaning: If i have a dataset which i encrypt with a passphrase so it needs to be unlocked manualy on every restart for acctual security, i cant realy Backup the data securly exept to another truenas device.

Fetching the data, encrypting it localy and throwing it into cloud (encrypted) is a VERY great way! But if anyone cracks or circumvents the admin account he could just look at the automated backup task for that cloud, change the “source” folder and click on “Restore” without entering a passphrase to “Unlock it”.
That just makes the encryption of the dataset itself with a passphrase completly useless. Because he can just “use” the encryption key and cloud access information stored there. (Which obviously need to be there)

Impact
You cant automaticly securly safe your data if you have no second truenas device.

If there is an OPTIONAL feature that you can check to FORCE a passphrase on every reboot to “Unlock” the automated backups and the stored data thats used to encrypt the files (Encryption keys, destination, …) it would actuly make it feasable to use.

User Story
The user would go to the backup task and create a new one, there he would check a box “Enforce global passphrase” if he checks it he needs to enter a passphrase (maybe confirm it?) after the task is created he can delete it without knowing the passphrase but cant edit it or restore from it.

If the system reboots he has to go to the task section and click on a play button or something simular to activate the task again, promting him for the passphrase.

NOTE: He should not need to reconfigure the encryptionkey, salt, destination or any information there.

RESTORE/MODIFY: If he wants to RESTORE from the backup or MODIFY destination, source folder or such he should have to enter the passphrase too.

I suggest looking into encrypted sparsebundles or equivalent archives - that is, don’t have ZFS do the encryption, have the data encrypted at rest unless you unlock it on a per use basis.

The main downside of sparsebundles or any like system is usually pretty slow speed and lower robustness than pure ZFS.

Others will have to chime in on cloud options that allow encrypted ZFS data. I have no experience with same but I believe I read about one or two allowing ZFS replications, which would allow you to keep ZFS content encrypted on the remote cloud provider, just as you do locally.

1 Like