Someone pointed out in another HN discussion that for the highest security it would be nice to have an independent service that accepted/pulled ZFS snapshot streams to apply to the backup datasets, as opposed to using ssh and risking local privilege escalations or relying entirely on ZFS user permissions.
Does anyone know of an existing service like this? Is it something rsync would consider hosting/providing? Currently to support sending encrypted ZFS snapshots to rsync.net I need to use the freebsd VM option with its own zpool.
The zfs snapshots that we make of your account are immutable (read only) from the perspective of your credentials.
So even if you publish your rsync.net credentials and Mallory wipes out your entire base account, the snapshots will still be there (until they rotate out, of course).
I use rsync.net in zfs send/receive mode, I push only encrypted snapshots and incrementals, the key has never left my local device (well I have a paper copy in a remote place).
Does anyone know of an existing service like this? Is it something rsync would consider hosting/providing? Currently to support sending encrypted ZFS snapshots to rsync.net I need to use the freebsd VM option with its own zpool.