[mekster]

Can you tell how it's done specifically? Are you zfs send'ing to another directory and encrypt it entirely on the fly while transferring to Glacier?

Does it do incremental backup transfer to Glacier or does it have to transfer the entire encrypted blob every time?

[janitha]

No intermediate directory/file at all, all done on the fly.

    sudo zfs send -i <LAST_BACKUPED_SNAPNAME> <CUR_SNAPNAME> | gpg -e -r <YOURKEY> --compress-algo none -v | pv | aws s3 cp --storage-class DEEP_ARCHIVE - s3://<PATH_TO_DEST>.zfs.gpg

The very first time you do it, you will need to do a full backup (ie. without the `-i <...>` option). Afterwards, subsequent backups can be done with the -i, so only the incremental difference will be backed up.

I have a path/naming scheme for the .zfs.gpg files on s3 which include the snapshot from/to names. This allows to determine what the latest backed up snapshot name is (so the next one can be incremental against that). And also use when backing up, since the order or restore matters.