It’s fairly easy to set up ZFS encryption with TrueNAS.
There are two things I’d love to be able to do:
pick my own password, such that if things go bonkers, I at least can mount the pools elsewhere…
have the keys/password stored on an USB stick, rather than in the config file.
This way one can, if need be, simply pull the USB stick and shut the system down, and the data is secured.
If one’s particularly paranoid, one could insert the USB stick only for booting, and then remove it, locking it away, thus rendering the pools unusable shoud anyone try to steal the device without having access to the USB key.
Is there a way to do this, or would that be another feature request?
You can currently do this as long as your System Dataset and Apps don’t live on the pool.
This is possible with ZFS but not with TrueNAS. TrueNAS wants the datasets and children to be immediately available because it expects the paths to be accessible by shares, apps, and the System Dataset when you boot up.
You can make a feature request. Don’t know how likely it will be accepted.
It seems to mostly cope if you use Passphrase instead of a random key. This requires you to unlock the datasets manually, and apps can certainly behave badly, but it’s manageable.
This wouldn’t be an issue if the USB “key” were present at boot, of course. I’ll have a think about an ‘off-piste’ way to do this.
Not if the System Dataset lives on that pool. TrueNAS has a safeguard that prevents you from using a passphrase-protected root dataset if it detects that the System Dataset lives on the pool. You can of course bypass this with the command-line, but it will probably break the system and prohibit you from booting properly.
Yeah, not concerned about encrypted pools, since thats discouraged in several different directions.
My data is in encrypted datasets on an unencrypted pool. As it stands, key encryption only protects against loose disks floating around. If you have the whole machine, the datasets unlock themselves at boot. As I’m about to ship this machine (I’m moving), that’s not helpful.
These keys appear to be stored in the config database, though, so short of moving the system dataset to a removable device, I don’t see a straightforward way to acheive a ‘hardware’ key.
[EDIT: I’ve just found the feature request thread…]
Ship the machine without the boot disk. You keep the boot disk with you or ship it separately from the computer. Put the boot disk back in once you have completed you move and are ready to set up again.
…after moving the system dataset to the boot disk, yeah. (it’s on my main pool for some reason… I’ve been dragging this pool around since the CORE days, so there’s often legacy fun that crops up)
As theft protection, though, I do like the ‘insert key to start server’ model that’s described in the feature req. thread.
