Work in progress
FreeNAS supports ZFS replication, but there is an issue: encryption is limited to drives, and not volumes/ZFS pools. That means if you want to replicate to an offsite server, its data might be vulnerable. I am attempting to reduce this issue in my usage, so with inspiration from another blogger's older post on the matter, I think I've figured out a compromise solution.
This assumes you'll be using SSH + Web-GUIs to work on the FreeNAS systems in question.
1. On your TARGET Web-GUI, configure an iSCSI target to mount with the source server. Be sure to specify a big enough zvol to host whatever amount of data you're planning to backup.
2. On the SOURCE Web-GUI, define a periodic snapshot task for the volume you wish to replicate.
3. Define the following rc.conf tunables: iscsictl_enable = YES ; iscsictl_flags = "-Aa" ; iscsid_enable = YES
4. On the SOURCE SSH, make sure you have an .ssh/authorized_keys file in the home folder of the user you'll be using for this project (root or otherwise). Make sure to chmod 600 the file, and chmod 700 the .ssh subdirectory; you can "touch" the file to make an empty one.
5. You're going to need the localhost public key for SSH authentication. cat /data/ssh/replication.pub >> (authorized keys file)
6. Find a spot on your storage system, that other users won't be regularly writing to. You'll be creating an iscsi.conf file there, that will be copied to /etc on each startup (startup/updates appears to wipe this file). You may even want to limit the permissions on it (if root, say 600).
TargetAddress = backup.example.com
TargetName = iqn.2015-04.com.example.server.iscsi:share
AuthMethod = CHAP
chapIName = chap_user
chapSecret = PASSWORD
tgtChapName = mutual_chap_user
tgtChapSecret = MUTUALCHAPPASS
7, Create another file where you made iscsi.conf: you can call this startbackup.sh + chmod 700 it.
cp iscsi.conf /etc/
chmod 600 /etc/iscsi.conf
8. Run the new script: you can tail /var/log/messages to see if it worked
9. Back on the SOURCE Web-GUI, specify an Init/Shutdown script to run the startbackup.sh script as "pre-init".
10. Use the Volume Manager Manual setup function to create an encrypted drive on what you mapped with iSCSI (should show as a "da#" drive).
11. Setup a replication task to go from your source file system to the new encrypted volume. Set it for localhost as a target, no SSH encryption, and you can scan for the key if you want (this may need to be the same as the /data/ssh/replication.pub from earlier).
Remaining to verify: how this behaves after a reboot + if SSH does need to be kicked on for proper replication, since this is supposed to be already AES-128 GELI encrypted anyway.