How to change Pool&Dataset encryption form Key to Passphrase?

Hello dear Community <3

i have run Truenas with an encrypted Dataset for a while.
I love the feature that it can backup itself to another machine without the need of the encryption key.

But i found out that only passphrase based encryption is able to be used with user input (not stored on the device).

so tl;dr: how can i change a pool and its datasets from a key based encryption to a passphrase based encryption?

with kind regards

PS: are there any known drawbacks to passphrase based encryption?

From the GUI, under a dataset’s encryption options.

This cannot be done for the System Dataset (.system), and likely would cause issues if done on your “Apps” or “Sandboxes” datasets. Unlike with a key store on the boot-pool, a passphrase-protected dataset is not immediately available when the system powers on.

To be able to use a passphrase-protected dataset, you can override the encryption properties of the dataset(s) in question, while leave the top-level root dataset protected by a key, so that your System Dataset and Apps (which inherit this encryption) will not be hindered.

1 Like

Thank you very much for your fast reply!

My Setup currently looks like the attached screenshot.
My first thought was to build a new Dataset with passphrase and just copy the data over. But i have not enough space to do so.

I dont run Apps or Sandboxes. But i am confused about the System Dataset.
Is it possible to encrypt a TrueNAS installation? I never saw an option for that.

I know that “Passphrased” Pools are only available if a user entered the correct phrase into the webgui. I would consider other “remote” unlock options.
But the Key storage and automatic unlock kinda defeats my purpose for encryption of the Datasets :confused:

Where is your “System Dataset” located? Judging from the screenshot, it doesn’t appear to be housed in the pool named “Pool”. (Unless SCALE doesn’t outright show you in this page?)

You can check with this command:

zfs list -t filesystem -r -d 1 | grep "\.system"

Are you using “Apps”? Do you have a dedicated “sandbox” or “jails” dataset? If so, which pool are they located on? (From your screenshot, it appears you have a single data pool?)


Even if you’re not using “Apps” or “sandboxes”, and even if your “System Dataset” is on a different pool, such as the boot-pool, the SMB service will complain about “unavailable shares”, due to the datasets being inaccessible (until you unlock them).


Are you hoping to protect the dataset “NAS” with a passphrase? You should be able to do that from the GUI itself. I would assume, in SCALE, you click the EDIT button next to “ZFS Encryption”.

when i go to System Settings > Shell and past it in there it says
zsh: command not found: zfs O.O
I am sure it is a zfs filesystem tho

The goal is to protect the “NAS Data” from Theft since the hardware currently is in a rather ‘public’ location.

And if someone steals the Hardware i dont want the perpetrator to have access to the data. so SMB not being able to share it on Boot is exactly one part of my goal :slight_smile:

The need to go into the webgui to enable it is a loss of convince i am willing to pay (:
Tho a oneline ssh command which you can remotely send from a secure system would also be great ^^

Prepend sudo in front of the command and try again?

Thankfully, SCALE is protecting you from running non-destructive, purely informational commands! As everyone knows, you totally need administrative privileges to… list datasets. :roll_eyes:

Sigh. iX, why not just add it to the path by default? Running zfs and zpool commands are very common for TrueNAS users.


Whoever has unfettered physical access to the server is its king. Don’t forget that.


Here is what you can do:

1 Like

apparently there are two .system


also the system is legacy? o.o
the scale setup is not even a few months old.
i just copied the files over from the old core setup

The line that reads <BLANK>/.system doesn’t make sense. Is it the pool’s name that prepends it?


It appears that you indeed have two .system datasets, yet only one is the real “active” one.

In your TrueNAS settings, there’s a menu where you can review and change the location of the System Dataset. (I forget where it’s found in the SCALE GUI.) What does it reveal? You’ll want to relocate it to your boot-pool (or affirm it already is), and then you can safely delete the residual one.

But either way, as long as you are only protecting the dataset named “NAS” with a passphrase, the above steps are irrelevant. You won’t be modifying the top-level root dataset’s encryption property (i.e, “Pool”) nor will the dataset “NAS” and below inherit its encryption properties, if you manually break the inheritance and use a passphrase instead.


That’s normal. It’s in reference to how the dataset is mounted. The datasets related to the boot-pool and System Dataset use the “legacy” method, whereas all other datasets in TrueNAS use the native mountpoint method.

1 Like

I cropped out my username but apparently hit the NAS as well o.o
Thank you so much for your explanations i learned a lot today (:

In the bottom left of my Dataset Storage GUI is a Advanced menu where it also shows this:

i cant recall telling it to place system there so i guess i can just change it to boot-pool ?

how can i delete the old one?

I would double-check to make sure it truly is relocated. (Check the same page again.) Is it really now on boot-pool?

Then for good measure, create a checkpoint before proceeding:

sudo zpool checkpoint Pool

Check if it’s mounted:…

mount | grep "\.system" | grep boot-pool

…compared to:

mount | grep "\.system" | grep Pool

Are mounts still being shown for the old System Dataset on the pool “Pool”?


Then do a “dry-run” of destroying the old .system dataset:

sudo zfs destroy -nvr Pool/.system

Does it look safe to continue? If so, issue the destructive command:

sudo zfs destroy -vr Pool/.system

After a few minutes or hours, if you don’t bump into a serious problem, you can remove the checkpoint:

sudo zpool checkpoint -d Pool

If you do need to rewind back to the checkpoint? Then you’ll lose any work / data that was done after the checkpoint’s creation.

1 Like

it looks like it really moves it when you select another location in the drop down so there is nothing to delete (:

ill reboot the system to make sure everything is still working and over night ill try to make a backup of the dataset to another machine.

when this is done the next step is trying to change the encryption to passphrase and report back <3

1 Like

You may still have a “residual” .system dataset. It just will not show as being actively mounted.

You can confirm like this:

zfs list -t filesystem -o space Pool/.system

:warning: Make sure you have backup copies of the encryption keyfiles.

1 Like

nope its gone (:

yes i have those since the dataset creation :smiley:

:+1:

Even if you think a key/keyfile is “obsolete”, hold on to those keys indefinitely. (All of them.) They only take up kilobytes of space, but sometimes come into play in unexpected ways. (Such as being unable to unlock a replicated dataset that was sent to a backup server some months or years ago.)

2 Likes

By default, the system dataset is moved from the boot-pool to the root of the first pool created on the system

1 Like

thank you for the explanation
is there a reason behind this?
i noticed it complained that the boot pool is filled up ~75% and that it is recommended to keep it below 80% but my conclusion was to figure out how to size the boot-pool up :smiley:

Your data/storage pool(s) are usually constructed with redundancy. (A simple two-way mirror, at least.)

Boot pools, especially in the past when we used USB sticks as our “OS” device, were non-redundant (as well as more prone to failure if you’re using a cheap USB, or even a USB stick in general.)

So upon the creation of a storage pool, the System Dataset (which is crucial for the operation of a running FreeNAS / TrueNAS server) would be moved to this “more reliable” home.

How is that possible?

My boot-pool only consumes about 7.5 GiB, and that’s with several old “Boot Environments” that have not been pruned.

that makes sense.
funny thing for me its the other way around ^^
TrueNAS is a VM with boot pool on redundant SSDs.
I gave gave the VM just 8GB Storage but doubled it to 16 now :smiley:

The Storage is a Single HDD (due to power savings)
(and yes i know there is no redundancy that’s why i have a cold storage shich has 2 parity drives (: )