i have run Truenas with an encrypted Dataset for a while.
I love the feature that it can backup itself to another machine without the need of the encryption key.
But i found out that only passphrase based encryption is able to be used with user input (not stored on the device).
so tl;dr: how can i change a pool and its datasets from a key based encryption to a passphrase based encryption?
with kind regards
PS: are there any known drawbacks to passphrase based encryption?
From the GUI, under a datasetâs encryption options.
This cannot be done for the System Dataset (.system), and likely would cause issues if done on your âAppsâ or âSandboxesâ datasets. Unlike with a key store on the boot-pool, a passphrase-protected dataset is not immediately available when the system powers on.
To be able to use a passphrase-protected dataset, you can override the encryption properties of the dataset(s) in question, while leave the top-level root dataset protected by a key, so that your System Dataset and Apps (which inherit this encryption) will not be hindered.
My Setup currently looks like the attached screenshot.
My first thought was to build a new Dataset with passphrase and just copy the data over. But i have not enough space to do so.
I dont run Apps or Sandboxes. But i am confused about the System Dataset.
Is it possible to encrypt a TrueNAS installation? I never saw an option for that.
I know that âPassphrasedâ Pools are only available if a user entered the correct phrase into the webgui. I would consider other âremoteâ unlock options.
But the Key storage and automatic unlock kinda defeats my purpose for encryption of the Datasets
Where is your âSystem Datasetâ located? Judging from the screenshot, it doesnât appear to be housed in the pool named âPoolâ. (Unless SCALE doesnât outright show you in this page?)
You can check with this command:
zfs list -t filesystem -r -d 1 | grep "\.system"
Are you using âAppsâ? Do you have a dedicated âsandboxâ or âjailsâ dataset? If so, which pool are they located on? (From your screenshot, it appears you have a single data pool?)
Even if youâre not using âAppsâ or âsandboxesâ, and even if your âSystem Datasetâ is on a different pool, such as the boot-pool, the SMB service will complain about âunavailable sharesâ, due to the datasets being inaccessible (until you unlock them).
Are you hoping to protect the dataset âNASâ with a passphrase? You should be able to do that from the GUI itself. I would assume, in SCALE, you click the EDIT button next to âZFS Encryptionâ.
when i go to System Settings > Shell and past it in there it says zsh: command not found: zfs O.O
I am sure it is a zfs filesystem tho
The goal is to protect the âNAS Dataâ from Theft since the hardware currently is in a rather âpublicâ location.
And if someone steals the Hardware i dont want the perpetrator to have access to the data. so SMB not being able to share it on Boot is exactly one part of my goal
The need to go into the webgui to enable it is a loss of convince i am willing to pay (:
Tho a oneline ssh command which you can remotely send from a secure system would also be great ^^
Prepend sudo in front of the command and try again?
Thankfully, SCALE is protecting you from running non-destructive, purely informational commands! As everyone knows, you totally need administrative privileges to⌠list datasets.
Sigh. iX, why not just add it to the path by default? Running zfs and zpool commands are very common for TrueNAS users.
Whoever has unfettered physical access to the server is its king. Donât forget that.
The line that reads <BLANK>/.system doesnât make sense. Is it the poolâs name that prepends it?
It appears that you indeed have two .system datasets, yet only one is the real âactiveâ one.
In your TrueNAS settings, thereâs a menu where you can review and change the location of the System Dataset. (I forget where itâs found in the SCALE GUI.) What does it reveal? Youâll want to relocate it to your boot-pool (or affirm it already is), and then you can safely delete the residual one.
But either way, as long as you are only protecting the dataset named âNASâ with a passphrase, the above steps are irrelevant. You wonât be modifying the top-level root datasetâs encryption property (i.e, âPoolâ) nor will the dataset âNASâ and below inherit its encryption properties, if you manually break the inheritance and use a passphrase instead.
Thatâs normal. Itâs in reference to how the dataset is mounted. The datasets related to the boot-pool and System Dataset use the âlegacyâ method, whereas all other datasets in TrueNAS use the native mountpoint method.
Even if you think a key/keyfile is âobsoleteâ, hold on to those keys indefinitely. (All of them.) They only take up kilobytes of space, but sometimes come into play in unexpected ways. (Such as being unable to unlock a replicated dataset that was sent to a backup server some months or years ago.)
thank you for the explanation
is there a reason behind this?
i noticed it complained that the boot pool is filled up ~75% and that it is recommended to keep it below 80% but my conclusion was to figure out how to size the boot-pool up
Your data/storage pool(s) are usually constructed with redundancy. (A simple two-way mirror, at least.)
Boot pools, especially in the past when we used USB sticks as our âOSâ device, were non-redundant (as well as more prone to failure if youâre using a cheap USB, or even a USB stick in general.)
So upon the creation of a storage pool, the System Dataset (which is crucial for the operation of a running FreeNAS / TrueNAS server) would be moved to this âmore reliableâ home.
that makes sense.
funny thing for me its the other way around ^^
TrueNAS is a VM with boot pool on redundant SSDs.
I gave gave the VM just 8GB Storage but doubled it to 16 now
The Storage is a Single HDD (due to power savings)
(and yes i know there is no redundancy thatâs why i have a cold storage shich has 2 parity drives (: )