I have a question regarding strategy for encryption on TrueNAS Scale.
Today I have TrueNAS Core and I utilize passphrase encryption on the root dataset. The system dataset has been moved to the boot disk (SSD) thus using passphrase seems fine. The good thing with this to me is that all jail data are also automaticly also encrypted.
With TrueNAS scale this seems to be frowned upon or not recommended (thats at least my takeaway from Storage Encryption | TrueNAS Documentation Hub and
NAS-118328 / 22.12 / Do not encrypt ix-applications dataset by sonicaj · Pull Request #9954 · truenas/middleware · GitHub)
I have tested to create a root dataset with an encryption key, moved the system dataset to the boot disk and then changed from key to passphrase on the root dataset. This seems to work and thus also protects the ix-application dataset. (option #1)
The other option I assume is to keep the root dataset unencrypted and then create secondary datasets that are passphrase encrypted, and when creating containers I would need to make sure they point to the encrypted dataset instead of ix-application. (option #2)
Which of these two options would be best (and why)? To me #1 is best since it protects “everything” by default, but I assume there might be drawbacks that I do not realize?
(I want to have passphrase encryption for theft protection)