please excuse me if such scenario was already discussed.
I was wondering how to ensure that syncoid, running in pull mode at backup-server, doesn’t have any chance to decrypt data from its target backup-target, even if backup-server is compromised (root account is accessible to malicious user)?
backup-target has encrypted dataset. backup-server is pulling snapshots of that encrypted dataset from backup-target
I tested that by running syncoidwithout--sendoptions=w at backup-server , would result in decrypted data snapshot from backup-target at backup-server.
For encrypted datasets, send data exactly as it exists on disk. This allows backups to be taken even if encryption keys are not currently loaded. The backup may then be received on an untrusted machine since that machine will not have the encryption keys to read the protected data or alter it without being detected. Upon being received, the dataset will have the same encryption keys as it did on the send side…
You can unmount the datasets and unload all of your encryption keys on both machines (zfs unmount -u pool) and send fresh snapshots. It’ll work, but nothing is mounted and no keys are loaded.
as syncoid is just a wrapper (?) for zfs send/receive/... I guess there is a chance to enforce -w like this? I would appreciate some opinions on this idea and my issue in general.