Making backup to a local external drive Encrypted- is it possible in CORE?

[GJSchaller]

I have a TrueNAS CORE 13.0-U5.3 system. I also have two external USB drives on-hand from a previous setup, that I would like to use as backup drives. One stays local, and a replication task runs on a daily basis, the other is attached / imported as needed, the replication task is run, then the pool is exported and the disk taken offsite for safe keeping (returning about once a month for another backup).

At the moment, I can do the replication without issue, as long as nothing is encrypted. Because the backup drive(s) are easily portable, I'd like to encrypt them so that if something happens and they are stolen, they're somewhat safe.

The challenge I am running into is making the backup replication task / pool encrypted. If I encrypt the pool Offsite-Backup at creation, I can't replicate to it. If I leave the pool unencrypted at creation, I am unable to use encryption when I run the replication task.

Is there a way to ensure my external drive is encrypted when backing up to it using a replication task? I can't seem to find a definitive answer on how to do this either in the docs, or on the forums.

Thank you!

 

[winnielinnie]

If I encrypt the pool Offsite-Backup at creation, I can't replicate to it. If I leave the pool unencrypted at creation, I am unable to use encryption when I run the replication task.

That's a double-bind, if I've ever seen one...

Probably due to this "fix" that was implemented recently in 13.0-U5:

TrueNAS 13.0-U5 is Now Available

We are pleased to announce the release of TrueNAS 13.0-U5. This release includes one new feature that adds a method to report ARM status information from ACPI tables, and update of the Asigra and Iconik plugins to the latest publicly available release, several NVDIMM improvements, and fixes many...

www.truenas.com

How do you have your replication task configured?

 

[GJSchaller]

It's been this way since the 10.3-U3 days for me.

The task is under Tasks => Replication Tasks.
Source is /mnt/data (main pool on the TrueNAS), Destination is Offsite-Backup (Pool created on external drive)
Local transport, Recursive, Include Dataset Properties
Where I run into trouble is when I check off Encryption - if I do, the task fails. If I try to replicate to an already encrypted pool, it fails.

I am guessing my source pool also needs to be encrypted? I didn't do that at the original setup - would that be preventing me from making an encrypted backup?

 

[kiriak]

I think it is possible, this is what I do in TN Core 13.something

My main pool is unencrypted with only one of several datasets encrypted.

I use an external HDD to replicate some of the snapshots, including these from the encrypted dataset.

The ext HDD backup is encrypted.
I don't remember if the whole pool is encrypted or maybe I had made an encrypted dataset where the snapshots are replicated (is this possible?).
If needed I can check in a few days when I will have the offsite disk in my hands.

 

[GJSchaller]

If needed I can check in a few days when I will have the offsite disk in my hands.

Were you ever able to check into this? I'd like to encrypt my external drive backups, if possible, especially the ones going offsite.

 

[kiriak]

Sorry I was really busy these days and was late to bring this disk back to home.
Today I had this on my hands.

Unfortunately I don't remember what I did and I'm not sure where to look.

kir1tb is the name of the external HDD pool.
If I remember well, it was an encrypted pool (with the new encryption, not GELI) and inside this there are two unencrypted datasets.
On the first one named "back2" the snapshots are replicated, one of them named "kiriakos" is an encrypted dataset on the server.
When I import the kir1tb pool, I have to provide two passphrases, one for the pool (?) and the other for the encrypted dataset kiriakos.




I don't know if this helps you, If anyone knows tell me where to look for what.


If I click the 3 dots on the right of the first image, only in the 'kir1tb" and "kiriakos" there "encryption actions" in the menu.
I don;t know what the icons like locks by the "back2" and "backups" datasets mean.