Hi, I’m in the process of setting up my first home NAS using TrueNAS Community Edition, and I would love your insights.

Current Setup

• Data Volume: I currently have about 2 terabytes of data (it will increase quickly).
• NAS Software: I’m using TrueNAS Community Edition for my NAS.
• Connection: The data are connected to my laptop via Samba and Tailscale to provide safer remote access if needed.
• Disk Configuration: I have two hard disks configured in mirror mode for redundancy.
• Remote Backup: I’m considering using cloud services like iDrive or OneDrive for additional backup.

What I Want to Achieve:

• I want to be able to access the data remotely from my laptop or smartphone, safely.
• I want to ensure that my data is secure both on my NAS and when backed up to the cloud.
• I want to be able to access my data easily while preventing any unauthorized access (cloud providers, malicious third parties, etc.) or in the event of a home burglary.
• I want the (total or partial) backup recovery from the cloud to be possible without too many problems.

Initially, I considered using Cryptomator to encrypt my files before uploading them to the cloud. The idea was to ensure that even if someone accessed my cloud storage, they wouldn’t be able to read my files.

However, I started to question whether this approach might complicate my setup unnecessarily. Here are my concerns:

• Complexity: Adding Cryptomator introduces another layer, which could increase the chances of something going wrong (data loss, software bugs, etc.).
• Performance: I worry that using Cryptomator might slow down file operations and transfers, especially if accessing the data from low-performing devices (old laptops, smartphones, etc.).

After some reflection, I considered this alternative solution:

ZFS Encryption on TrueNAS:

This would involve encrypting my dataset directly on the NAS using the native ZFS encryption with a passphrase.

• Pros: This is a native solution that minimizes performance impact and keeps the encryption process within TrueNAS.
• Cons: A significant concern is whether I can enter the encryption passphrase remotely if the NAS restarts. If I’m connected remotely and the NAS requires a reboot, I might lose access to my data until I can physically enter the passphrase.

Daily remote backup with Rclone:

I would use TrueNAS’s Cloud Sync Task with Rclone to back up my data to iDrive or OneDrive (or another provider), utilizing the Rclone native remote encryption option.

• Pros: This would ensure that my files are encrypted before they leave my NAS, providing strong security. Rclone is stable, well-documented, and widely used.
• Cons: Accessing individual files in the event of a partial restore could be cumbersome since I might not be able to see the file and directory names in the cloud (they will be encrypted).

I also noticed that rclone filename encryption is broken. According to the TrueNAS documentation available here Cloud Sync Tasks | TrueNAS Documentation Hub

Rclone filename obfuscation or the experimental filename_encoding could be an alternative solution

The rclone project has identified known issues with Filename Encryption in certain configurations, such as when long file names are used. See SSH_FX_BAD_MESSAGE when syncing files with long filename to encrypted sftp storage. In some cases, this can prevent backup jobs from completing or being restored. We do not recommend enabling Filename Encryption for any cloud sync tasks that did not previously have it enabled. Users with existing cloud sync tasks that have this setting enabled must leave it enabled on those tasks to be able to restore those existing backups. Do not enable file name encryption on new cloud sync tasks!The rclone project has identified known issues with Filename Encryption in certain configurations, such as when long file names are used. See SSH_FX_BAD_MESSAGE when syncing files with long filename to encrypted sftp storage. In some cases, this can prevent backup jobs from completing or being restored.

My questions for you:

1. Can I enter the ZFS encryption passphrase remotely if the NAS restarts, or will I need physical access?
2. Does Rclone’s remote encryption adequately protect my data, including file names and metadata?
3. Is it possible to temporarily see the remote file/directory names using Rclone in some creative way (Rclone mount maybe) if needed?
4. Am I overlooking any important aspects of this setup, or is there a better approach I should consider?

Thank you for your help!

Note: Edited with AI because English is not my native language.

I use native ZFS encryption so I can help with a couple of these questions.

Yes you can enter the volume / pool passphrase remotely. I would advise the use of a VPN like wire guard or Tailscale to protect the NAS from direct access to the internet, however.

I do not use reclone. However, it is possible for replications to happen to a remote server where the pool remains encrypted. If you configure the remote machine appropriately, it will contain zero information re: how to decrypt the dataset.

If you use replication, the remote dataset can be mounted and read, typically on a ready-only basis. That also allows SMB sharing. However, I believe replication only works for remote servers that also run ZFS / TrueNAS.

I’d look into replicating (ie ZFS send) since it takes advantage of snapshots (which should be active anyway) and if you hav a secure tunnel, you can also activate netcat to speed up transfers.

Replication is not restricted to only TrueNAS systems, it’s just easier to setup. You do, however, need to be using ZFS on both machines. @dan has a tutorial on setting up replication from a Proxmox host to TrueNAS as a destination.

Thanks!

Replication is a nice idea, and having snapshots backed up is also very interesting.

After considering it, I think there are two main downsides:

• Higher Cost/Time: maintaining a secondary remote system, like what you described (a secondary TrueNAS or, as @Filtering58 suggested, a Proxmox with ZFS), costs more and requires more maintenance than simply using a remote backup solution like S3 or OneDrive. Since this is the beginning of my journey, I don’t want to spend extra time and money if there is a simpler solution.
• If the dataset on my NAS becomes corrupted, the replica will also be corrupted, and the files will not be accessible when restored.

Having a remote “traditional” backup system seems safer, faster, and cheaper.

I also just discovered that I can easily install Duplicati using the App Marketplace on TrueNAS. I have never used it before, but from what I read online, it looks exactly like what I’m looking for, and the software seems reliable and well-tested. It also provides encryption (including filenames) and versioning, offering even more features than Rclone.

Have you ever tried it? What’s your opinion on that?