Replicate encrypted dataset but not readable from target?

I have one work NAS [turenas scale]
I have one home NAS [turenas core]

I would like to replicate an encrypted dataset from work to home. the work dataset is encrypted.
I don’t want anyone connected to home NAS to be able to read backed up work dataset because home NAS dos not have work NAS encryption key.

Is this possible?
If so. How would I set that up?

this replication is for backup purposes only.
connecting the two is not an issue. I have a wireguard tunnel between my house and work server

for my home NAS I got myself a disk shelf from eBay and filled it with disks. I thought it would be nice to backup the backup server at work. But lets say someone brakes in and steals my server i don’t want them having access to the data if that makes sense.

What you’re looking for here is “raw send,” and using that as a search phrase might help.

Essentially, you just create an encrypted pool on the source, then replicate it to the target using the raw send argument (zfs send -w). Your target gets the fully-encrypted dataset, but never gets the key with which to unlock it.

I definitely endorse this as a backup mechanism, but I advise caution about using it as your only backup mechanism. There have been some hiccups, and the thing about encryption is… it’s not for the faint-hearted. Encrypted is encrypted and if something breaks, it’s broken and you explicitly do not get any do-overs.

edit: here’s a link to the quick-start guide to openzfs encryption that I wrote for Ars Technica a few years ago: A quick-start guide to OpenZFS native encryption | Ars Technica

1 Like