FreeNAS ZFS snapshot backup to Amazon S3

I’ve been looking for a way to backup my FreeNAS ZFS snapshots to an offsite location. I didn’t find much information how to do this so i had to come up with my own solution.

In this post I’m going to show you how to save your encrypted ZFS snapshots in Amazon S3. We’re going to use a FreeBSD jail together with GnuPG and s3cmd.

Adding a jail in FreeNAS

Go to the FreeNAS web ui and click Jails. Click add and choose name. If you click advanced here you can change the ip-adress for the jail(I wanted to use DHCP).

 

Adding an empty jail in Freenas
Adding an empty jail in FreeNAS

Click ok and FreeNAS will setup a new jail for you which takes a minute or two.

From now on we will have to work in the FreeNAS shell(SSH must be enabled under services in the Web UI).

To list all the jails running on your FreeNAS host we can run:

$ jls

Verify that the jail you created is listed.

To enter the jail run:

$ jexec your_jail_name
$ # Verify that your in the jail
$ hostname
backup

We’re going to need to install some packages. First we need GnuPG which we’ll use to encrypt our snapshots. Then we will need the s3cmd which is used for uploading our snapshots to Amazon s3.

$ pkg install security/gnupg
$ pkg install net/py-s3cmd

I’m going to use symmetric AES256 encryption with a passphrase file because i don’t want to store my data in the cloud unencrypted. So generate a random passphrase which you will need to store at multiple locations(not just inside the jail). Because if the passphrase is lost your backups will be worthless. The passphrase file needs to be accessible by the backupscript. I have placed my passphrase file in in the root directory.

$ echo "mypassphrase" > /root/snapshot-gpg-passphrase
$ chmod 400 /root/snapshot-gpg-passphrase

Next we’ll create a folder holding our current list of snapshots that we’re going to keep synced with S3.

$ mkdir /root/s3_sync_bucket
$ chmod 600 /root/s3_sync_bucket

We also need to configure s3cmd so run this and answer all questions:

$ s3cmd --configure

The backup script

This script should be run on the FreeNAS host. What is does:

  1. Creates a snapshot of the specified dataset
  2. Sends it to the backup jail where it’s encrypted and saved to file
  3. Removes the snapshot on the FreeNAS host
  4. Removes all snapshots older than 7 days
  5. Syncs the local s3 bucket directory with S3 using s3cmd

Create the script and run it manually or with crontab

$ touch /root/backup_script.sh
$ chmod 700 /root/backup_script.sh
$ /root/backup_script.sh my-pool/my-dataset

Edit the script to fit your needs.

Decrypting a backup

To decrypt a backup:

$ gpg --batch --decrypt --passphrase-file /root/pass-gpg < backup_file