Backups

[hescominsoon]

I have been looking around for a few days but cannot seem to find the answer so if links suffice please let me know..:) I am trying to setup a freenas system at one location and i want that system to send backups to another freenas system located elsewhere. The connection between the two must be encrypted as this is going to be a HIPAA compliant client of mine. I have tried reading up but it is simply escaping me. Please advise..:)

 

[nojohnny101]

hey
Here is the official guide from the manual:
http://doc.freenas.org/9.10/freenas_storage.html#replication-tasks

I followed the manual to setup mine (I have one FreeNAS box replicating to a remote offsite FreeNAS box over SSH).

I do not have to much experience with HIPPA though but from a quick Google search it seems that SSH is good enough for compliance.

 

[hescominsoon]

ssh is good for the transfer compliance..I am looking into zfs due to its on the fly encryption and of course the data integrity..:)

 

[nojohnny101]

sounds like your good to go then. Follow the manual, it is fairly straightforward and even has troubleshooting in there for common problems.

Of course you can post here as well!

 

[hescominsoon]

yeppers..i am going to test this locally first.....:)

 

[hescominsoon]

one more thing...if you have an encrypted ZFS volume and it replicates a snapshot offsite..does the offsite copy have the PULL encryption key or does it retain PUSH's key? I am hoping for the latter.

 

[cyberjock]

one more thing...if you have an encrypted ZFS volume and it replicates a snapshot offsite..does the offsite copy have the PULL encryption key or does it retain PUSH's key? I am hoping for the latter.

Neither.

When your zpool is encrypted, it's a layer that is hidden from the zpool. The zpool is basically "containerized" on the geli devices, and the geli devices are encrypted.

So if you want the data protected with encryption on the destination, you must encrypt that zpool separately (it will have its own keys, but you can choose to use the same password).

 

[hescominsoon]

ok so i would setup a zpool on the destination for the other machine and zencrpyt that?

 

[Ericloewe]

zencrpyt

Please drop the z.

• It's silly to add the letter z to a word just because of ZFS, unless it really does have a z tacked on (as in RAIDZ)
• Encryption in FreeNAS does not happen within ZFS. ZFS has literally nothing to do with the encryption used. OpenZFS has no encryption support. It's an OS-level hack.

 

[hescominsoon]

sorry new to bsd and zfs so i am still learning the terminology..:) so there is no way to encrpyt the actual zfs pool itself?

 

[Nick2253]

sorry new to bsd and zfs so i am still learning the terminology..:) so there is no way to encrpyt the actual zfs pool itself?

It might help if you read the documentation: https://doc.freenas.org/9.3/freenas_storage.html#encryption

 

[hescominsoon]

hrmm if i am reading this right i can create a dataset for the destinations files to goto and encrypt that individually with it's own key...that would serve my purposes well...it looks like i can take a pool..create a volume on it..then create individual datasets and encrypt the datasets each with their own keys..which would suit my purposes well..:)

 

[Ericloewe]

hrmm if i am reading this right i can create a dataset for the destinations files to goto and encrypt that individually with it's own key...that would serve my purposes well...it looks like i can take a pool..create a volume on it..then create individual datasets and encrypt the datasets each with their own keys..which would suit my purposes well..:)

You must be reading something completely different, because FreeNAS uses disk encryption. The disks are encrypted, not the filesystem. You can't encrypt just one dataset.

You can use encrypted container files, of course.

 

[hescominsoon]

hrmm so there is no inate way to encrypt beyond disks in freenas it appears. so if i want a separately encrypted space per user i would have to go one disk for one user and one disk for another users to keep their backups separately encrpyted from each other. That is not going to work for what i have planned unfortunately.

 

[hescominsoon]

You must be reading something completely different, because FreeNAS uses disk encryption. The disks are encrypted, not the filesystem. You can't encrypt just one dataset.

You can use encrypted container files, of course.

right so i would have to create that using veracrypt or truecrypt on a windows machine..which is not in line with what I was hoping to do.