# ZFS Encryption and Untrusted Remote Backup



## fastmachine (May 1, 2014)

I have searched a long time, but have not been able to find an answer to the problem of remote encrypted backup to an untrusted site. (Sorry if this is so long, I wanted to cover a lot of scenarios.)

Here is my plan. Have two machines running ZFS.  Machine A will be at my house, and let's say that machine B is at my friend's house (or the NSA for that matter). I want my data to be protected from bitrot, drive failure, and a fire burning down my home.  I also don't trust my friend not have the computer hacked to get at my data.

Therefore I was planning on setting up the machines like this:

Machine A (my house) - ZFS over GELI - will provide data at rest protection in case the machine is stolen
Machine B (friend's house) - straight ZFS - no snapshots or encryption

Then on machine A I will use ZFS send and pipe to an file, compress and encrypt.  Afterwards, I will send the file to the Machine B (maybe over a USB thumbdrive) with a checksum.  The checksum will make sure that the data does not "rot" during transport.  Once moved to Machine B I know that ZFS will prevent it from bitrot and since the data is encrypted at my house there is no chance for it to be compromised at my friends house.

Other solutions I have looked at:

Machine B runs ZFS over GELI - doesn't protect if the computer is compromised, since I have to unlock GELI to get access to the files for back up.
Machine B runs sshfs or something on top of ZFS - doesn't provide support for the ZFS snapshots, etc. on Machine A.

Does that seem like it would work or am I missing something or a simpler solution? (Sorry again if this is the wrong forum or if there is another section I should have posted this.)


----------



## kpa (May 1, 2014)

I would look into encrypting the stream produced by `zfs send` with GnuPG and use yourself as the recipient. This would completely guarantee that no one else but yourself is able to decrypt the stream and also provide integrity checking on the stream, something that the plain `zfs send/receive` can not provide.


----------

