what option for offsite backup (encryption)

[John Doe]

hi folks,

i need to move my offsite backup to another location and that location is having limited trust, so i need to encypt my data.

what options do I have if main truenas is not having encyption?


purpose, main trunas pushed backup to offsite truenas. in case of defect on main truenas i can pickup backup truenas.
But I cannot enter passwords everytime it restarts.

 

[Heracles]

Hi @John Doe,

Good that you think about backups!

TrueNAS's native encryption will decrypt everything on-the-fly while it is powered up. As such, ZFS-level encryption is probably not what you are looking for. That means you would need file-level encryption. Here, everything I have is in my Nextcloud and Nextcloud is applying server-side encryption. It is that way that all my files end up encrypted before being saved in my first TrueNAS. ZFS then replicates everything to the 2 other NAS. Because files are already encrypted themselves, nothing special here.

 

[John Doe]

Thanks for the hint with nextcloud.

to spin this nextcloud idea further, i would create a nextcloud server. data storage would then be all my drives and nextcloud shall do that syncing to the backup server?

A potential workaround:
since there are no shares on the offsite server, nothing will be shared. to enable a share you need the password for truenas web UI.
as far as I remember, you can hookup a keyboard, monitor and change the password. is there a way to prevent access?

I might be able to set up ESXi with a VM, acting as an openvpn client for beeing able to ssh into freenas. with that I can enter the passphrase to unlock the drives of freenas.

hell thats a workaround for a "simple" issue

 

[Heracles]

to spin this nextcloud idea further, i would create a nextcloud server. data storage would then be all my drives and nextcloud shall do that syncing to the backup server?

Nope.

TrueNAS will host the storage and present it to Nextcloud. Whenever Nextcloud has a file to save, it will first encrypt it before writing it to the storage.

TrueNAS does not care about the content of the file. Clear text or encrypted, it is the same thing. So TrueNAS will do its replication task (ZFS send and ZFS receive) just like it would do should the file have been clear text. The resultat is still that the files that end up on the backup server are encrypted and the keys to decrypt them are in Nextcloud's database. As such, TrueNAS itself is unable to decrypt them.

you can hookup a keyboard, monitor and change the password.

Indeed you can. You can also password-protect that console if you wish to prevent that but ultimately, there is no logical security that will survive physical assault. The only way is encryption AND ensuring that the keys and cryptograms are not both at the same place. With ZFS encryption, both are at the same place. With Nextcloud, they can be separated.

I might be able to set up ESXi with a VM, acting as an openvpn client for beeing able to ssh into freenas.

Wow! That is probably the world record for complexity! SSH is secure by itself but indeed, it may be safer not to expose it to Internet. Still, OpenVPN can be deployed directly as plugin in TrueNAS or even better, such a site-to-site VPN would be achieved with an infrastructure router like pfSense.

 

[John Doe]

for this nextcloud idea:

I think I got it partly. Since main Truenas is having storage for ESXi, how could that work with nextcloud?
In case I just skip storage for ESXi and go with nextcloud, how would delta backup work if encrypted? I would assume once the file changes, the entire part needs to be synced again via replication task?
as of today I do the maiority of my tasks within file explorer, in case that nextcloud idea happens, can I stil use it or am I dependent to that nextcloud interface?
Do all computers needs to have nextcloud client installed to access files on truenas?
Just to be clear, I am talking about 6x10tb raidz2 -> ~30tb that cant be synced to clients.

the "workaround" idea:

the problem is, i cannot open ports on remote side, so the backup server needs to call home.
in case the datasets are encrypted, the jail will probably not boot up to call home.

With ZFS encryption, both are at the same place.

I didnt get that. My expectation is, that I enter a passphrase to unlock the dataset, so the secret is with me, encryption on remote side, isnt it?

 

[Heracles]

I didnt get that. My expectation is, that I enter a passphrase to unlock the dataset, so the secret is with me, encryption on remote side, isnt it?

yes and no. You are right but only up to the moment you put the password in. But as soon as you unlocked the key with that passphrase, that key stays in RAM and will decrypt everything on-the-fly without any other interaction or re-entering the password. As such, one booted and operational, key and cryptograms are back together, so encryption is defeated.

I think I got it partly. Since main Truenas is having storage for ESXi, how could that work with nextcloud?

It can't. You can not present a storage to ESX using Nextcloud.

how would delta backup work if encrypted?

The ZFS send / receive is driven by the snapshots. So if a file is modified, the snapshot will keep it and will send a copy during next ZFS send / receive. Should a file has remained untouched since the last snapshot, it will not be marked as part of the new one, so will not be sent.

I would assume once the file changes, the entire part needs to be synced again via replication task?

You are right here.

as of today I do the maiority of my tasks within file explorer, in case that nextcloud idea happens, can I stil use it or am I dependent to that nextcloud interface?

Nextcloud presents its files with WebDAV. You can mount your content as a WebDAV share and do your work with anything that is WebDAV compatible. Windows, Mac OS X and much much more can mount WebDAV, so you have plenty of options.

Do all computers needs to have nextcloud client installed to access files on truenas?

No. They can access the Web interface using a browser or map the share as a WebDAV client.

Just to be clear, I am talking about 6x10tb raidz2 -> ~30tb that cant be synced to clients.

Is all of that needs to be synced to each and everyone ? If so, I have no experience with such a large sync between that many accounts. As long as the servers and the network are up to the task, it should be ok. But do you have 30TB of local storage in your clients ? Probably not...

the problem is, i cannot open ports on remote side, so the backup server needs to call home.

A site-to-site VPN may help a lot here.

 

[John Doe]

thanks a lot for really answering one by one!
May I raise a few more?

Nextcloud idea:
i need to do some testing with nextcloud dav.
how is your impression perfromance wise with encryption?
I have many files to move from dektop to truenas and as of today I am maxing out my 1GBE -> about a stable 110mb/s, can I expect the same with nextcloud?

of course I need to back up that nextcloud instance as well otherwise it is pointless. e.g. my house burns down, encrypted data is available but everything else is not -> problem.
How would you consider security of freebsd and the nextcloud instance saved unencrypted? I think it should be okay, since you cannot fetch data out of freebsd in case it is in home directory (which requires login)?

Workaround idea:
for me it would be fine to have the datasets unlocked. it is a lot effort to read out the memory and search for the passphrase.
Just one more thought: if main truesnas is not using encyption, can the backup trunas have encrypted datasets?


puhhh both ways would mean a major change and my experience in broken updates in nextcloud was quite bad, eventhou the last 4 updates went smooth. however the nextcloud encyption idea is nice.

 

[John Doe]

one more thing:
I did some testing with a new nextcloud instance, set up everything and tried to copy a 5gb .ios file until windows showed me, the file size is too big for the file system.

it seems like windows is using a 32 bit string that cannot handle values greater then 4gb. So I wonder how you came around this.

 

[Heracles]

So I wonder how you came around this.

Easy : I got rid of Windows more than 15 years ago. Completely Windows-free here and using only operating systems worthy of being called such....

 

[Heracles]

how is your impression perfromance wise with encryption?

Never did any measurement. For my personal usage with such a powerful server as mine, CPU is sleeping all day long...

I have many files to move from dektop to truenas and as of today I am maxing out my 1GBE -> about a stable 110mb/s, can I expect the same with nextcloud?

Nextcloud will never be any faster than your network link, that is for sure. As for its bandwidth, you may expect it to be lower because such a service should run over TLS while Windows's file sharing does not. As such, clients and servers need to encrypt / decrypt everything.

How would you consider security of freebsd and the nextcloud instance saved unencrypted? I think it should be okay, since you cannot fetch data out of freebsd in case it is in home directory (which requires login)?

Every file is encrypted with a dedicated key. That key is saved in Nextcloud's database and is itself protected by a user's credential. Still, the admin can do recovery, so the moment the database is accessible, recovery is possible.

Here, I do an SQLDump of that database with a script which then encrypt the dump. That SQLDump is then saved with the rest for backup. The passphrase to decrypt the database is nowhere in TrueNAS and only I know it. As such, only I can recover the backup.

however the nextcloud encyption idea is nice.

Any other server-side encryption may achieve something similar...

 

[John Doe]

Easy : I got rid of Windows more than 15 years ago. Completely Windows-free here and using only operating systems worthy of being called such....

in case you will give this webdav nextcloud recomendation to futher people, maybe spend 3 sec, mentioning the 4gb limit on windows. That would probably be much apreciated