Encrypted discs?

Hi,

I am running a small business and I am currently evaluating various NAS solutions for installation on my proven NAS hardware. I am attracted by the ZFS features, and I am also tired of the maintenance of my current more or less hand-crafted RedHat-based approach.

One very important requirement besides easy snapshotting, backups and performance is encyption on a media level. I.E. I do not want to find my customers data in the Internet after a burglar has stolen my NAS device including my disks. At the moment I use LUKS for that purpose, together with a manually entered passphrase on every boot.

I am struggling to understand, how TrueNAS is approaching this topic. If I understand it correctly, it generates a (random) key during pool creation, that is locally stored on the boot volume and can be downloaded. That means, the burglar also has the key and can just power up my NAS in his network without any secret knowledge and access any data? Other encryption layers seem not to be supported, except may be self-encrypting devices?

Am I missing any point or is there really no way to keep the pool “sealed” on boot until I provide any means of a secret that the potential burglar doesn’t have?

Hi and welcome to the forums.

So you’ve summed it up really well however when using ZFS encryption you can also set a passphrase instead of a key which isn’t stored on the system so if said burglar takes the system and boots it up they won’t be able to access the encrypted datasets without the passphrase. An additional advantage is that you can either have one passphrase ‘to rule them all’ so to speak or different passphrases per dataset depending on your needs. You can even have some datasets with no passphase if you wish.