This is my first post on this forum as I’m new to TrueNAS!
I’m running TrueNAS Core 12 and I’m attempting to get a better understanding of what is happening to the data under the hood, when it comes to encryption at rest in encrypted pools/datasets.
I’ve read the TrueNAS documentation and spent a bunch of time reading this forum but still don’t feel like I have the answer I’m looking for, so I’m hoping one of you guys will be able to help me!
The term ‘encryption at rest’ usually means that the data is encrypted when not actively in use in a computers RAM (i.e when it’s stored on a HDD), but from what I’ve gathered from other posts on the TrueNAS forums and from trying things on my rig, it seems like TrueNAS might do things differently.
If I use a keyfile to encrypt a pool/dataset (ignoring encryption via passphrase) it seems like all data in a pool/dataset is decrypted by TrueNAS Core during the boot process. The web gui reports that the dataset is unlocked, all data in the dataset is accessible via shares, and when hexdumping a file from the linux command line the bytes seems to exist in a decrypted state. This implies to me that data in TrueNAS is not actually ‘encrypted at rest’ (data always exists in an encrypted state on HDD at all times), but is ‘encrypted on shutdown’ (only exists in an encrypted state on HDD after shutting down)?
The other potential explanation I can think of is that whilst datasets are reported as “unlocked” by TrueNAS on boot, the data actually exists on the disk in an encrypted state but is actively decrypted on the fly by TrueNAS/Linux OS when a user attempts to access a file, giving the user the appearance that the data is fully decrypted and accessible. If this is the case would someone be able to advise how I could see the encrypted bytes on the drive to prove this to myself? (I attempted to do this by hexdumping a file but the bytes it returns are definitely decrypted data)
I think what it comes down to is the following question: If the TrueNAS machine were to boot up and unlock all datasets, then suddenly lose power (not giving TrueNAS a chance to lock any datasets in its usual manner during a regular shutdown) and the relevant data drives (not including the boot drives containing the encryption keys) were to be removed and analysed, could I expect the data on these drives to exist in a decrypted state, leaving the potential for my data to be accessed by a malicious actor?
If anyone could clarify my understanding (or correct my misunderstanding!) of how ‘encryption at rest’ works in TrueNAS that would be greatly appreciated!
This is what’s going on. Otherwise, the system would need to rewrite all data every boot and shutdown–at boot to decrypt it, and at shutdown to re-encrypt it. I don’t know how to prove it to you, though, other than “use the source, Luke.”
This is not unique to TrueNAS or ZFS. This is how software-level encryption of storage essentially works. The same is true for LUKS and VeraCrypt.
Once the master key is loaded into RAM, it is used to process all encrypted blocks that go through it (reads that are decrypted) and all plain blocks that go through it (writes that are encrypted).
No. They would be encrypted.
The bad actor wouldn’t likely remove your drives. They are more likely to just take the entire computer, which includes your boot drive. They can either retrieve the keys from the config file (on the boot drive) or just power on the system and reset the root password to access the web GUI.
Hello,
perfect, the exact topic i am actually wondering about.
Question #1:
Is it possible to disable or lock this “reset the root password” option?
In my Synology i have the option to “keep admin password at system reset”, so even if an attacker gains physical access to the NAS, he cannot wipe the root users password by simply pressing the reset botton for 5 secs and then login as (root) admin with an empty password having access to all accounts.
Question #2
If this option just cannot be blocked, what else could i do, to prevent anybody with physical access to my system to get access to my files?
I want to encrypt the pool with keyfile and passphrase, the keyfile would be stored on a flash drive.
Do i see it right, that if the system has started and the pools where unlocked, i could simply plug out the flashdrive and hide it somewhere else, so that
1.) an attacker whithout knowledge of user account credentials could not gain access to the data on the nas
2.) nor could he gain access after resetting the system with a new root password because he would need the (missing) keyfile and the passphrase to unlock the data pool?
Is that so or am i missing something?
Thanks in advance.
Thanks for the quick response.
Okay, so if i disable the console menu and have an encrypted pool with keyfile and good passphrase - is my data then safe?
Or could the attacker simply pull out the drives and put them in another case to get the console back again?
And if yes - does this even matter when the pool is encrypted with keyfile + passphrase? The passphrase itself should not be able to get resetted to something new without first typing in the actual correct one, right?
Sorry for the questions, i am quite new to the topic encryption and data secrecy.
If someone knows what they’re doing, they can retrieve the dataset keystrings either by booting from a Linux ISO directly on your server or removing your boot drive and accessing it on their own computer. The two files they need are freenas-v1.db and pwenc_secret. It’s not necessary for them to reset your root password.
Casual users will have no idea and probably not care. Only someone malicious that wants to access your data directly will have the knowledge and motivation to do so.
The two files they need are freenas-v1.db and pwenc_secret. It’s not necessary for them to reset your root password.
‘pwenc_secret’? Hold on! Is this “only” the information for the user access to the system (login/password) or is this the passphrase to the volume/dataset?
Means, IF i encrypt my whole dataset with a passphrase - is this information also stored somewhere on the system, so someone could reveal it and finally get access to my data, like with encryption keys, that are also stored on the boot drive?
Someone getting access to the system would at least not be that bad then getting access to the data stored on it. I mean, if the datasets are locked, he would see nothing, at maximum the dataset names and thier space consumption, but not what is in them, right?
Could anyone get somehow access to the data without knowing the encryption passphrase?
No. Passphrases are not. Those are your responsibility to memorize or store elsewhere.
In the world of TrueNAS, keystrings are used to automatically unlock datasets at boot, for reasons of convenience and availability of the System Dataset and Apps. It will not do the same for passphrase-protected encrypted datasets. The caveat is that if the pool contains the System Dataset, you will not be able to use a passphrase for the root dataset. This can also cause issues for your Apps.
This is strictly a TrueNAS thing.
If your dataset is using a passphrase, then your data will be inaccessible after rebooting. The config and pwenc_secret files will be of no use to a malicious person.
Hold on! Is this “only” the information for the user access to the system (login/password) or is this the passphrase to the volume/dataset?
