---
title: Offsite Vault Architecture
description: Two Pi vault nodes — ZFS raw send, syncoid, Pocket Grimoire
published: true
date: 2026-04-12T00:00:00.000Z
tags: vault, offsite, zfs, kopia
editor: markdown
dateCreated: 2026-04-12T00:00:00.000Z
---

# Offsite Vault Architecture

## Overview

Two offsite nodes receive ZFS replication from `znas`:

| Node | Location | Role |
|------|----------|------|
| Vault Pi (dedicated) | Offsite / home shelf | Kopia offsite server, ZFS vault pool |
| Pocket Grimoire | Travel / portable | Portable vault + media, also a vault node |

## Replication Method

ZFS raw send via `syncoid` with `-w` flag (raw/encrypted mode):

```bash
# Dedicated vault Pi
syncoid -w znas:vault/data vault-pi:vault/data

# Pocket Grimoire pre-travel
syncoid znas:vault/Green/Pocket pocket:/srv/greenpg/Green
```

The `-w` flag sends encrypted ZFS streams. The receiving node stores data in its encrypted form — no decryption keys are needed on the vault nodes. Keys stay exclusively on `znas`.

## Kopia Offsite Server

The vault container (`vault.yaml`) runs a Kopia server on port 51516 that serves as the remote endpoint for the dedicated Pi vault. Accessible at `vault.netgrimoire.com`.

## Pocket Grimoire as Vault Node

Pocket Grimoire's ZFS pool (`pocket-green` at `/srv/greenpg/`) receives a `syncoid` push from `znas` before each trip. This makes Pocket Grimoire an offsite backup node whenever it leaves the house.

See [Pocket Grimoire Sync](/Pocket-Grimoire/Sync/Pre-Travel-Sync) for the pre-travel checklist.