The 3-2-1 backup rule requires at least one data copy at an external location. Yet many SMBs struggle with this: a second site is expensive, manual drive rotation is unreliable, and traditional cloud backups quickly cost hundreds of euros monthly at larger data volumes. TrueNAS Cloud Sync solves this — with automatic, encrypted offsite backups to S3-compatible storage providers, configured directly from the TrueNAS web interface.
Why Offsite Backups Are Essential
Local backups protect against hardware failures and accidental deletion. Against ransomware, fire, flooding, or theft, they are ineffective — all data resides at the same physical location. Modern ransomware specifically targets network shares and NAS systems to encrypt backup data as well.
An offsite backup ensures that at least one copy of your data exists physically and logically separated from the production system. Cloud Sync automates this fully: data is transferred on schedule, encrypted, and bandwidth-efficiently to an external S3-compatible storage target.
Cloud Sync vs. ZFS Replication: When to Use Which
TrueNAS offers two paths for offsite protection. The choice depends on the target system and requirements:
| Criterion | Cloud Sync | ZFS Replication |
|---|---|---|
| Target | S3, Wasabi, Backblaze B2, MinIO | Second TrueNAS system |
| Protocol | S3 API (HTTPS) | ZFS Send/Receive (SSH) |
| Granularity | File-based | Block-based (snapshots) |
| Speed | Good (files individually) | Very fast (changed blocks only) |
| Target hardware | No dedicated system required | Dedicated TrueNAS server needed |
| Cost | From ~EUR 6/TB/month | Hardware + power + site |
Recommendation: If you already operate a second TrueNAS site, use ZFS replication for maximum speed and consistency. For everyone else, Cloud Sync is the simplest and most cost-effective offsite solution.
Comparing S3-Compatible Providers
Not every S3 provider suits every use case. Key differences at a glance:
| Provider | Storage Cost/TB/Month | Egress Costs | API Costs | Key Feature |
|---|---|---|---|---|
| AWS S3 Standard | ~EUR 23 | EUR 0.09/GB | Yes | Full feature set, but expensive |
| AWS S3 Glacier | ~EUR 4 | EUR 0.09/GB | Yes | Cheap, but slow retrieval |
| Wasabi | ~EUR 6 | Free | Free | No egress fees, 90-day minimum retention |
| Backblaze B2 | ~EUR 6 | EUR 0.01/GB | Low | Affordable, simple pricing |
| MinIO (Self-Hosted) | Hardware costs | None | None | Full control, own infrastructure |
For SMBs with 5-50 TB of offsite needs, Wasabi and Backblaze B2 are the most economical options. Wasabi stands out with free egress — an advantage that matters during restores.
Setting Up Cloud Credentials
Before creating Cloud Sync tasks, S3 provider credentials must be stored in TrueNAS:
- Open Credentials > Cloud Credentials > Add
- Select the Provider (e.g., “Amazon S3” or “S3 Compatible” for Wasabi/MinIO)
- Enter the provider’s Access Key ID and Secret Access Key
- For S3-compatible providers, specify the Endpoint (e.g.,
s3.eu-central-1.wasabisys.com) - Test the connection with Verify Credential
- Save
Create a dedicated bucket at the S3 provider beforehand — ideally with Object Lock or Versioning enabled for additional ransomware protection.
Creating a Cloud Sync Task
Under Data Protection > Cloud Sync Tasks > Add, the sync job is configured:
Direction: PUSH
Transfer Mode: SYNC (or COPY for pure archiving)
Credential: [previously created Cloud Credentials]
Bucket: truenas-offsite-backup
Folder: /server-name/
Directory: /mnt/pool/dataset
Schedule: Daily at 02:00Transfer modes explained:
- SYNC — Mirrors the source folder exactly to the target. Deleted files are also removed from the target. Ideal for current offsite copies.
- COPY — Copies only new and changed files. Deleted files remain in the target. Suitable for archiving.
- MOVE — Moves files to the target and removes them locally. Rarely appropriate for backup scenarios.
Encryption: Protecting Data Before Upload
TrueNAS Cloud Sync supports client-side encryption directly in the task. Under Advanced Options, enable encryption:
- Set Encryption to “Enabled”
- Assign an Encryption Password and document it securely
- Optional: set an Encryption Salt for additional security
Data is encrypted before upload using AES-256. The cloud provider sees only encrypted blocks — even during a data breach at the provider, your data remains protected. Without the password, decryption is practically impossible.
Important: Store the encryption password separately from the TrueNAS system. If lost, the cloud data is irrecoverable.
Bandwidth Limiting and Scheduling
Large data volumes can noticeably impact internet connectivity during business hours. Cloud Sync offers two measures:
- Bandwidth Limit in the task (e.g.,
50Mfor 50 Mbit/s) — keeping enough bandwidth for daytime operations - Schedule set to off-peak hours (e.g., 22:00-06:00), when the connection is idle
For the initial upload, temporarily remove the bandwidth limit and run the first transfer over a weekend. After that, Cloud Sync transfers only changed files — daily data volumes drop drastically.
Cost Example: 10 TB Offsite Backup
What does 10 TB of offsite backup cost monthly with common providers?
| Provider | Storage/Month | Egress (1 TB Restore) | Total/Month | Total/Year |
|---|---|---|---|---|
| AWS S3 Standard | EUR 230 | EUR 90 (one-time) | EUR 230 | EUR 2,760 |
| Wasabi | EUR 60 | EUR 0 | EUR 60 | EUR 720 |
| Backblaze B2 | EUR 60 | EUR 10 (one-time) | EUR 60 | EUR 720 |
| MinIO (own HW) | ~EUR 15 (power) | EUR 0 | ~EUR 15 | ~EUR 180 |
Wasabi and Backblaze B2 cost around EUR 720 per year for 10 TB — a fraction of what a second physical site with its own hardware would cost.
Restore: Recovering Your Data
In an emergency, recovery must be fast and reliable. Two paths are available:
Via TrueNAS Cloud Sync: Create a new Cloud Sync task with Direction: PULL that writes data from the S3 bucket back to the local dataset. For encrypted backups, provide the same password.
Via rclone (CLI): Cloud Sync is built on rclone. In a total loss scenario, data can be restored with rclone on any Linux system:
rclone copy --progress \
--s3-provider=Wasabi \
--s3-access-key-id=ACCESSKEY \
--s3-secret-access-key=SECRETKEY \
--s3-endpoint=s3.eu-central-1.wasabisys.com \
:s3:truenas-offsite-backup/server-name/ /mnt/restore/Tip: Test the restore process regularly — at least once per quarter. A backup that cannot be restored is worthless.
Monitoring with DATAZONE Control
Cloud Sync tasks run in the background — and that is where risk lies. Failed tasks often go unnoticed until data is urgently needed. DATAZONE Control monitors TrueNAS systems centrally and detects problems early:
- Task status checks — Failed or skipped Cloud Sync tasks trigger immediate alerts
- Storage utilization — Warnings when the local pool or cloud bucket nears capacity
- Network monitoring — Bandwidth usage during sync windows is tracked
- Backup completeness — Verification that all tasks ran successfully within the defined period
This turns an automated Cloud Sync into a monitored, reliable part of your backup strategy.
Want to set up TrueNAS Cloud Sync for your offsite backup? Contact us — we help you select the right S3 provider and configure an encrypted, automated backup solution for your TrueNAS infrastructure.
More on these topics:
More articles
Backup Strategy for SMBs: Proxmox PBS + TrueNAS as a Reliable Backup Solution
Backup strategy for SMBs with Proxmox PBS and TrueNAS: implement the 3-2-1 rule, PBS as primary backup target, TrueNAS replication as offsite copy, retention policies, and automated restore tests.
TrueNAS with MCP: AI-Powered NAS Management via Natural Language
Connect TrueNAS with MCP (Model Context Protocol): AI assistants for NAS management, status queries, snapshot creation via chat, security considerations, and future outlook.
ZFS SLOG and Special VDEV: Accelerate Sync Writes and Optimize Metadata
ZFS SLOG (Separate Intent Log) and Special VDEV explained: accelerate sync writes, SLOG sizing, Special VDEV for metadata, hardware selection with Optane, and failure risks.