I’ve recently set up my NAS and I’m now wanting to sort backups to Backblaze B2. I activated ZFS encryption when I was creating the NAS’s (only) pool, thinking that this would automatically encrypt fully any backups made to Backblaze. After testing this it became clear that this is not the case. Is it possible to sort this without using third-party solutions like restic?
Separately, I was also wondering what the unlocked/locked status of the encrypted datasets practically means. Do the drives automatically lock/unlock depending on whether the NAS is on/off? If I lock them, does that mean I’m unable to access the files they contain via SMB? If someone would have physical access to the NAS and removed the drives, would their content be unencrypted if their are unlocked on the TrueNAS admin pane?
Apologies for all the silly questions. I’m a complete beginner.
How are you backing up the data to B2? I think “Cloud Sync” tasks allow you to encrypt the data locally before sending to the remote site and all the remote site has is encrypted data and no knowledge of the key.
If you have set up key based encryption the datasets unlock automatically when you boot (or you might be able to turn that feature on/off). The key is commonly stored on the boot partition, so if someone stole the data drives they would not be able to “unlock” them. If they stole the whole server with the boot drive, they would have access to the key and what they need to decrypt the datasets. This sounds like what you have. If so, you need to be sure you have a backup of the key file stored somewhere. If you lose that key file you will lose access to all your encrypted data.
You can also set up passphrase encryption. In this case the passphrase is only known to you. It is not stored on the server and the datasets can only be unlocked manually. Assuming you don’t write the passphrase on a sticky and post it on the server, anyone who steals the drives, or the whole server, would not be able to decrypt the data unless they have some other access to, or are able to guess, the passphrase.
Really helpful, thank you so much. I’m using Cloud Sync at present — is the option I need to enable Advanced Remote Options > Remote Encryption?
Regarding passphrase encryption, got it. I’ve unfortunately already set up my pool with a few apps. Is there any way I can retroactively set up passphrase encryption for it?
I have one of my pools encrypted with a key, but I’m by no means an expert in this area.
My understanding is that once ZFS encryption is set up, there is a ‘data’ key and a ‘user’ key. The ‘data’ key is immutable. When we talk about passphrase vs keyfile we are talking about how the ‘data’ key is itself encrypted. So, yes, you should be able to change from key file to passphrase without re-encrypting all the data, you are just re-encrypting the ‘data’ key.
https://www.reddit.com/r/zfs/comments/u37zle/zfs_encryption_with_key_default_in_truenas_scale/
I believe so.
1 Like
