Back Up Encrypted ZFS Data Without Decrypting It, Even If TrueNAS Doesn’t Approve

[Michael Lynch] recently replaced his Synology NAS with a self-built solution built on ZFS, a filesystem with a neat feature: the ability to back up encrypted data without having to decrypt it first. The only glitch is that [Michael] is using TrueNAS, and TrueNAS only wants to back up unencrypted ZFS data to another TrueNAS system. Fortunately, there’s a way around this that isn’t particularly complicated, but definitely requires leveraging the right tools. It also provides an educational walkthrough for how ZFS handles these things.

The solution is a small handful of shell scripts to manage full and incremental backups and restores of encrypted datasets, without having to decrypt the data first. As mentioned, this is something TrueNAS will handle by default, but only if the destination is also a TrueNAS system. Now, [Michael] can send that backup to off-site cloud storage with only a little extra work.

There’s one additional trick [Michael] uses to monitor his backups. He leverages a paid (but with a free tier) service called Cronitor. It’s not very obvious from the site’s features, but there is a way to implement cron job monitoring that doesn’t require adding any software whatsoever. Here’s how that part works: Cronitor provides a custom, unique URL. If that URL isn’t visited regularly (for example, because the cron job fails), then the user is notified. By integrating this into an existing cron job, one can be notified. Such an integration would look like this:

0 0 3 * * monthly-job && curl --silent https://cronitor.link/p/<API-KEY>/monthly-job?state=complete

In short, if the cron job runs successfully, curl checks in by visiting the custom URL. If that doesn’t happen, the user gets a notification. No added software, just a simple leveraging of a free service for some added peace of mind.

Backups are easy to neglect, so maybe it’s time to take a few moments to consider what you do for data storage, including how you’d recover from disaster.

9 thoughts on “Back Up Encrypted ZFS Data Without Decrypting It, Even If TrueNAS Doesn’t Approve

    1. The “default way” is a free feature, but it requires an *encrypted* target volume on a TrueNAS system. Michael Lynch wanted to copy the raw, encrypted dataset into a *flat file* on an (unencrypted) location (which could even be CIFS/NFS network drive). Since “zfs send” (“zfs send –raw” in his case, as he wats the raw encrypted data) writes its output to stdout, a simple redirect does the job.

      I am aware of that in theory, but it’s nice that someone did the heavy lifting and actually tested that both backup and restore work as intended.

  1. I’m looking for a way to synchronize a 1TB SSD Windows boot drive to a 1TB SATA hard drive. Something that I can periodically run which will examine the boot drive and the backup, then copy and delete files as needed from the backup to make it match the boot drive.

    What would be ideal is to have a synchronize and shut down option.

    I’ve used software to clone it a few times but that takes a while and of course copies a ton of stuff that’s not changed.

    1. Worse even:
      >back up your encrypted data to a generic cloud storage provider
      https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS_weaknesses
      Given that dm-crypt/LUKS uses xts-plain64 as default as they consider it the lesser evil compared to or cbc-essiv. He is giving a potential adversary (govt) a perfect way to observe all changes. It is the year 2022 point 67 and people still do not understand encryption only is good if your adversary is unable to monitor your encrypted files.

  2. Cronitor co-founder here – Thanks for the shout out! Do you think we should make this “Direct Integration” method more obvious? It’s very clear if you click on “Heartbeats” but it’s buried 1 step deeper if you click “Jobs”.

  3. I just tried Cronitor out, it’s a cool idea. I think the main advantage to using the curl link is because it is discouraged to install additional tools or packages on the base Truenas OS. I just went thru this wondering why pip wasn’t available. Truenas is built as an appliance first, and user modifications could cause incompatibilities with updates, other functions, etc.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.