Dataset locking clarification in the presence of encryption

late_tyler · October 3, 2024, 10:12pm

Hello everyone!

I am hoping that someone might be able to clarify the locking of a dataset and what, if any, effects it has on the encryption of the dataset? I have a fresh install on new hardware, created a passphrase encrypted dataset, and setup an SMB share. When the dataset is locked I am unable to connect to the share, when unlocked I can (with a created user account). I am okay leaving it unlocked but I want to be sure that the encryption will still occur and that I am not missing any items I should consider.

Encryption is important for the data as it is used to backup HIPAA information for my wife’s business. I also tried finding this info in the documentation and the forum. Closest I could find was this post: https://forums.truenas.com/t/encryption-explanation-hardening/13849

TrueNAS Core
TrueNAS-13.0-U6.2

winnielinnie · October 3, 2024, 10:26pm

Whether an encrypted dataset is “locked” or “unlocked”, the blocks on the disks are always random, meaningless garbage, i.e, “encrypted”.

When a dataset is “unlocked”, it just means that the Master Key is loaded in RAM, which is used to encrypt/decrypt blocks that are written/read.

late_tyler · October 3, 2024, 10:31pm

So it would be accurate to say that, even unlocked (which means its unlocked from read/write), that the data is still encrypted to AES-256 standard (chosen encryption)?

I appreciate your response. I read on other posts that your THE encryption guy

winnielinnie · October 3, 2024, 10:33pm

The data that exists on the drives, yes.

But to be pedantic, not the “data” that is loaded in RAM, being used by other applications, including file managers.

If you lose power, or yank the power from the wall, then RAM is no longer in play. The data on the drives are just random garble.

Less dramatic is if you power off the system normally. Same applies.

late_tyler · October 3, 2024, 10:55pm

Okay, right. So always going to be garbled due to the separation of blocks, and only guaranteed to be encrypted after the write operation finishes writing to disk.

Thank you again for your help. I will mark it as the solution.

winnielinnie · October 3, 2024, 11:06pm

Everything happens in RAM before being committed to disk.

Block of data exists in its “true” form → which gets compressed (if possible) → which is then encrypted → and finally the block (now in this form) is written to disk

The process is reversed when “read” from disk.

The encrypted block is loaded into RAM → then it is decrypted → then it is decompressed (if applicable) → then it can be used in its “true” form by whatever application needs it