Problem/Justification
Currently if you replicate a dataset to a remote TrueNAS instance and specify encryption, the remote dataset is left unlocked after the replication is complete. I would like to have the dataset(s) automatically lock once the replication task finishes to better protect the data.
Impact
The main benefit is increased data security for remote targets in less trusted environments, keeping the data encrypted as much as possible.
User Story
I send a remote TrueNAS box to a trusted third-party, I then replicate (with encryption) to that remote TrueNAS machine and the datasets lock when complete. A malicious actor attempts to access the running TrueNAS instance, but can’t read any data. The intrusion is detected and dealt with without compromise of the encrypted data.
It is my understanding you can replicate an encrypted dataset using RAW, which means the destination does not have access to the data. This is useful when you don’t trust the destination location. You keep the keys away from the destination for security reasons, unless needed.
Now to be fair, I have limited knowledge of ZFS encryption & replication. So I could be wrong. Or their could be limitations that I don’t know about.
With both, encrypted and un-encrypted datasets, you set up different replication tasks & parameters. You would use RAW for the encrypted ones. I believe this is already supported by the TrueNAS GUI. But, I’ve not used this functionality. Hopefully either the manual or someone else can describe it in enough detail to implement.
Note: I did some personal testing of ZFS encryption just before it reached release state. But, their have been changes & improvements to ZFS encryption since then. Gee, that was 8 years ago!
