Correct me if I’m wrong… My vdev mirrors have both unencrypted and encrypted datasets. Even if I were to migrate all the unencrypted data into newly created encrypted pool on the same disks, an RMA of those disks could leak any of the data that wasn’t originally encrypted.
The best solution seem to be encrypting the pool itself so that anything created within it is also encrypted.
To prepare my disks for such a task I would need to:
wipe the existing disks to remove any unencrypted data blocks
create a new encrypted pool OR recreate the encrypted datasets in the new pool.
Am I missing anything that could make this easier? Is there a way to wipe just the area of the disk that wasn’t encrypted?
You can write a pass of zeros across the entire disks before sending them back, if it’s worth it to you.
“Pools” are not encrypted. A root dataset can be encrypted, in which children nested underneath will inherit encryption by default. (But TrueNAS no longer permits this, even though it’s supported in vanilla ZFS.)
What you can do is create the pool, and leave the root dataset unencrypted.
Then just use encryption at a per-dataset level, which also applies to the “pseudo-roots” that live one depth under the root dataset.
EDIT: Oh, you’re not actually RMA’ing anything. This is hypothetical? If you mean to safeguard against “leaking data” going forward, the simplest method is to zero the drives, and create your pool(s) again, based on the above options.
I’m not familiar with any software that “wipes” the free/unencrypted portions of drives in a ZFS pool/vdev.
