Replication to an encrypted dataset (data encrypted not accessible to remote system)

pixel · May 26, 2025, 8:29am

I have two TrueNAS systems and I need to replicate/backup one dataset from TrueNAS A to an encrypted on rest dataset on TrueNAS B.

I created a replication task on the sending system using a phassphrase for the data encryption (not talking about the tunnelling encryption). On the remote system a new encrypted dataset has been created but with it the encryption key has been loaded on the remote system.

I don’t want to keep the data accessible to the remote system so I tried to unload the encryption key on the remote NAS but after that the sending TrueNAS wasn’t able to start the replication task anymore ([EFAULT] Active side: cannot receive incremental stream: inherited key must be loaded.).

So am here asking how to achieve my setup: I want to backup a dataset to a remote system but I want those data to be unreadable by the remote system.

Should I rely on rsync? Is it possible to do with a Replication Task somehow?

BoulderItalyc · May 26, 2025, 9:47am

Maybe look at Cloud Sync and the Remote Encryption option.

dan · May 26, 2025, 9:52am

I suspect it’s possible to do this using ZFS replication, but I’m not familiar enough with its details regarding encryption to say for sure. Syncthing can handle it easily enough though.
https://docs.syncthing.net/users/untrusted.html

pixel · May 26, 2025, 10:18am

Hello @BoulderItalyc I tried to setup the Remote Encryption options and read the relevant documentation.

I did like that:

What I got is an encrypted dataset on the remote system but the encryption key is available to the remote system so all the files are readable on the remote TrueNAS.

(ideally) I would like the en/decryption key to be available only to the sending system which will get access to the dataset, store the updated data and lock it back again.

@dan I am aware it is possible at file-level (with syncthing or duplicity), I would like to rely on the TrueNAS/zfs capabilities first.

winnielinnie · May 26, 2025, 11:56am

Is the source dataset encrypted?

pixel · May 26, 2025, 12:11pm

Sorry, I forgot to specify it. No, it’s not (and would like to keep it like that).

winnielinnie · May 26, 2025, 12:20pm

With TrueNAS, I don’t believe that’s possible.

If there was a feature to “issue command after send completes” or “lock target after send completes”, then it could work, but no such thing exists in the GUI.

You would essentially need to issue the command zfs unload-key over an SSH connection to do this.

pixel · May 26, 2025, 12:53pm

Thanks for your answer. Is there any trigger somewhere I can monitor with an external script in order to achieve it when the task has been completed?

Correct me if wrong but, should I encrypt the sending dataset in order to have this feature out of the box?

winnielinnie · May 26, 2025, 1:04pm

Maybe possible with the API? I’ve never tried such a thing.

@kris @Captain_Morgan Is it possible to use the API to trigger a command after a replication task successfully completes?

Such as “When Replication Task A completes, issue ‘lock dataset’ on target system”.

I guess the reverse would be needed too. “Before Replication Task A begins, issue ‘unlock dataset’ on target system”.

You could use “raw streams” if your source was encrypted.

This means you wouldn’t even need to unlock either side in order to replicate.

BoulderItalyc · May 26, 2025, 1:06pm

Here is a tool that might do what you want;

It does leave you open to someone accessing the data on the remote system while the dataset(s)/pool is unlocked. Probably low risk since you’ve presumably got strong passwords on accounts and not running services like SMB, but still not as secure as having no way at all of decrypting the data on the destination.

If the source were encrypted, there are zfs switches you could use on the command line to replicate the raw encrypted data;

https://forums.truenas.com/t/what-is-encryption-for-destination-in-replication-task-wizard/31133/3

But this would also likely negate an incremental type backup strategy.

You could also look at a “Cloud Sync” task instead of ZFS replication. You’d need to run some sort of cloud service on the target, perhaps Minio;

But Cloud Sync tasks do allow you to encrypt the data locally and send it out where the destination has no knowledge of the key.

Captain_Morgan · May 26, 2025, 4:29pm

We just provided the api microwebsite.

There is a job status request:

https://api.truenas.com/v25.04.1/jobs.html

pixel · May 27, 2025, 10:21am

Thanks all for the clarifications. I think I will go with minIO this time since using the replication & API requires too many customizations to the system I wouldn’t want to rely on.

I was hoping it was something available/supported out of the box.

Thanks again!