Hi everyone,
I have a TrueNas Scale Electric Eel server with two pools, two disks each in mirror. Is it possible to encrypt these two pools without creating new pools and migrating the data over? If I do have to make new encrypted pools, I should be able to copy/paste the data to the new pool and just point my apps to the new pool, correct?
Thanks in advance!
You don’t encrypt pools. You encrypt datasets.
It’s still possible to create new datasets with encryption enabled, and then migrate your data over to these new datasets on the existing pool.
1 Like
Hi,
What I meant was the drive; I said pool as in everything in the pool. I guess I should have said that…
If I just did the encrypted datasets, then I would have a bunch of different encryption keys, right? Ideally I want the drive encrypted.
You don’t encrypt the drives or the pool. You only encrypt datasets.
If you want a single key/passphrase for all datasets, then you need to encrypt the root dataset. (The “root dataset” is the topmost dataset in a pool, which happens to share the same name as the pool.) Then the child datasets can inherit the encryption properties of the root dataset.
In order to do this, you need to create a new pool and choose the encryption option. This will encrypt the root dataset.
That is what I was looking for. Thank you
If I have an uncrypted pool like this:
root
|-- dataset1
|-- dataset2
|-- dataset2/dataset3
Would I:
1/ create a new encrypted dataset under root
2/ replicate dataset{1,2} into the new dataset recursively
3/ delete the original datasets and update any references to use the new name?
If yes:
1/ is there a way to avoid updating all references to the original dataset paths?
2/ how do I ensure all unencrypted data on the spinning disks is gone after doing this migration? Or is the only way to wipe the root pool, sanitize, and migrate from a backup?
More or less.
- Depends on the structure. If you intend to have Dataset1 AND Dataset2 at the top level, you would need to temporarily make 2 new FSes, Dataset4 and Dataset 5, encrypted. Then rename after.
- Un-encrypted disk blocks will exist on the storage drives. Eventually they may be over-written, but who knows when.
For the last, you could implement something like what I wrote:
There is the zpool initialize command which overwrites unallocated regions. For SSD there is also zpool trim --secure (if the SSD supports secure erase).
In the end, it does depend on how sure you want to be that the data is really unrecoverable in a forensic setting. At the end, the most secure option is always to replace the drive and throw the original drive into an active volcano.