Non Root ZFS Replication with Syncoid

By hernil

One of the key strenghts of using ZFS as a file server is the extremely effecient replication that can be used for backup purposes. Sanoid and Syncoid are abstractions over the built in zfs snapshot and zfs send functionality that makes life a little simpler and should also help speed up transfers.

This guide is pretty bare bones and was written previously as a step by step reminder of how I set up my backup server pull data from my laptop.

The advantage of this pull-based configuration is that a compromised machine has no way to modify any of the previously backed up files on the backup destination. Similarly a compromised backup destination (hopefully it won’t come to that …) would actually not have any way of modifying files on the production system as we only grant it read access.

Sender / production system

Install ssh-server if needed

sudo apt install ssh

Create user

sudo mkdir /home/zfssend
sudo useradd --home-dir /home/zfssend --shell /bin/bash zfssend
sudo chown zfssend:zfssend /home/zfssend

Create ssh key

sudo -u zfssend bash
ssh-keygen -t ed25519

Set zfs delegation rights

sudo zfs allow zfssend send,hold rpool

Reciever / Backup destination

Create zfs dataset

sudo zfs create tank/backup/zfs/sending-host

Create user

sudo useradd --no-create-home --home-dir /mnt/tank/backup/zfs --shell /bin/bash zfsrecv

Create ssh key

sudo -u sshrecv bash
ssh-keygen -t ed25519
cat ~/.ssh/

Add key to sender user

tee -a /home/zfssend/.ssh/authorized_keys << EOF
[paste key here]

Set zfs delegation rights

sudo zfs allow zfsrecv create,mount,receive,rollback tank/backup/zfs


Let’s go ahead and test that everything is working by running this as the zfsrecv user.

syncoid -r --no-privilege-elevation --no-sync-snap zfssend@sending-host:rpool tank/backup/zfs/sending-host/rpool --exclude=docker


Heavily inspired by

Improving Replication Security With OpenZFS Delegation

Input or feedback to this content?
Reply via email!
Related Articles