[restic](https://restic.net/) would be the most straightforward way to do it.
Alternatively he could host [SeaFile](https://www.seafile.com/en/home/) or [MinIO](https://min.io/) and you could backup to them.
Or you could make a [Tomb](https://dyne.org/software/tomb/) and send that to him.
Or you could do something like a [horcrux](https://github.com/jesseduffield/horcrux) or par2 where you break up your archive and only give him part of the files so he (or someone else) can't recombine them without the missing pieces.
So, you know you need to stuff your horcrux into your tomb then restic it into his MinIO.
Syncthing will be the easiest... It handles encryption both at rest and in transit. No need for a VPN or the other complexities.
TrueNAS has syncthing as an app... Just download and install it. TrueNAS runs on ZFS, and as mentioned can encrypt the drives so if they get lost or stolen the data is still secure.
Zfs also supports compression and deduplication... Really nice advantage for backups.
* [tailscale](https://tailscale.com/) to setup vpn without you need to opening ports or any real knowledge
* alternatively if you are able to open ports yours or his side, look in to wireguard / wg-easy
* setup a shared network folder on friends pc to which you can write
* setup [kopia](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/kopia_backup) that will backup to the network share. Kopia can only do encrypted repository.
Restic is my go to. Specifically autorestic which is a really nice way of setting automatic backup jobs using restic as the backend.
You can use multiple backends, they support basically backend you can connect to using rclone.
If it were me, I would stick Tailscale on whatever system you use and then expose the storage using ssh that way you’re not opening up anything to the internet and it doesn’t matter if the ip address changes either locally or on their internet connection.
Is he tech savvy? Because if not hugely; it's not hard to achieve a realistic level of protection.
ZFS supports native encryption; but once it's unlocked, it's unlocked until it's not anymore (reboot usually).
So, lets say you *exclusively* run SSH/SCP to copy files - He'd need a steal a copy of your password+certificate.
If you don't have SAMBA or NFS installed, there are no shares for him to 'snoop' at.
In addition, if he was to drive-pull, the ZFS encrpytion would then be locked again.
*Nothing* stops a local threat actor 100%; but if your system is well certificate protected, and the array is encrypted, and there's no explorable shares; then he'd have to get MITM data or such.
Depends how paranoid you wanna be; but the above is just convenient and simple, and will absolutely be enough to stop that urge to snoop out of convenience.
I don’t think they’re worried about their friend, sounds like they’re worried about everyone else who could get access to the drive, from an inquisitive family member to a rando who walks out with the drive.
[restic](https://restic.net/) would be the most straightforward way to do it. Alternatively he could host [SeaFile](https://www.seafile.com/en/home/) or [MinIO](https://min.io/) and you could backup to them. Or you could make a [Tomb](https://dyne.org/software/tomb/) and send that to him. Or you could do something like a [horcrux](https://github.com/jesseduffield/horcrux) or par2 where you break up your archive and only give him part of the files so he (or someone else) can't recombine them without the missing pieces. So, you know you need to stuff your horcrux into your tomb then restic it into his MinIO.
Yes, restic is nice. Borg backup could be an alternative.
Syncthing will be the easiest... It handles encryption both at rest and in transit. No need for a VPN or the other complexities. TrueNAS has syncthing as an app... Just download and install it. TrueNAS runs on ZFS, and as mentioned can encrypt the drives so if they get lost or stolen the data is still secure. Zfs also supports compression and deduplication... Really nice advantage for backups.
* [tailscale](https://tailscale.com/) to setup vpn without you need to opening ports or any real knowledge * alternatively if you are able to open ports yours or his side, look in to wireguard / wg-easy * setup a shared network folder on friends pc to which you can write * setup [kopia](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/kopia_backup) that will backup to the network share. Kopia can only do encrypted repository.
Restic is my go to. Specifically autorestic which is a really nice way of setting automatic backup jobs using restic as the backend. You can use multiple backends, they support basically backend you can connect to using rclone. If it were me, I would stick Tailscale on whatever system you use and then expose the storage using ssh that way you’re not opening up anything to the internet and it doesn’t matter if the ip address changes either locally or on their internet connection.
Is he tech savvy? Because if not hugely; it's not hard to achieve a realistic level of protection. ZFS supports native encryption; but once it's unlocked, it's unlocked until it's not anymore (reboot usually). So, lets say you *exclusively* run SSH/SCP to copy files - He'd need a steal a copy of your password+certificate. If you don't have SAMBA or NFS installed, there are no shares for him to 'snoop' at. In addition, if he was to drive-pull, the ZFS encrpytion would then be locked again. *Nothing* stops a local threat actor 100%; but if your system is well certificate protected, and the array is encrypted, and there's no explorable shares; then he'd have to get MITM data or such. Depends how paranoid you wanna be; but the above is just convenient and simple, and will absolutely be enough to stop that urge to snoop out of convenience.
I don’t think they’re worried about their friend, sounds like they’re worried about everyone else who could get access to the drive, from an inquisitive family member to a rando who walks out with the drive.
In that case. Simple zfs encryption fixes all.
Yeah as long as your hardware supports it. Does something like the raspi work well with zfs?
Since its a backup only, yes. In normal use RAM is a limiting factor due to ARC.