I enabled encryption on my data pool but I’m not sure it is as protected as I want it to be:
Current State: Unlocked
Encryption Root: Yes
Type: Key
Algorithm: AES-256-GCM
My goal with encryption to be protected against physical theft. So if a robber takes the whole server he shouldn’t be able to extract data (preferably ANY data, but more importantly data on the data pool). So the attacker won’t only access the data disk but everything else, too, including the system data pool – and documentation says:
The system dataset stores core files for debugging and keys for encrypted pools.
This means that physical access to the whole machine gives full access to all data, right? This also makes sense, because when I turn on the server, all data is instantly accessible via SMB. So it seems my server is not set up according to my threat model. How can I fix it?
It seems like passphrase encryption might do what I want. Can I switch to that from “key” type? After that how will bootup look like? I will have a functioning Truenas GUI that I have to log into and open the dataset with the passphrase?
Your data-pool will remain locked until you manually unlock it which means that any service that depends on it will not be able to start until you do. That includes VMs, apps and shares.
You can still change the key format to passphrase for the root dataset, as long as the System Dataset (or “Apps”) does not live on that pool.
You can leave the root dataset as it is, with a “key”, which will automatically unlock upon reboot.
Then just override the children dataset(s) to use a passphrase instead. (You shouldn’t be saving any files to the root dataset, anyways.)
Like @neofusion said, if you have any shares that depend on those datasets (filesystems, paths) being available, they will not work until you manually unlock them.
As far as I understand when using Passphrase the key is stored in RAM, so after disconnecting the server from the power it will not be possible to decrypt the data without Passphrase
This is how I do it. My root dataset is set to passphrase, and its unlocked on boot by reading the passphrase from an inserted USB drive. Inside this root dataset all other datasets are set to passphrase and are unlocked manually. I can also choose to auto-unlock any of the child datasets via the USB drive script if needed.
All that is needed to secure the datasets is to remove the USB drive. So when I need to ensure security I pull the USB drive and store it securely. Without the USB drive inserted, the datasets will never unlock on boot.
This thread should get you there. This approach can be used to unlock the parent first then any child datasets on boot.
Keep in mind the passphrase is exposed on the USB drive. I suggest modifying the script example to process a secure hash instead of reading plaintext. Depending on the environment, you can pull the key after boot for additional security.
Do realize, if someone really wants your data, they can hot-jump your power supply cord to a UPS and leave the NAS running until they get it back to their lab.
It’s hard to beat xkcd, but Johnnie To’s Election 2 illustrates an even cheaper way to get a passphrase out of someone… You’ll even save $5 on SPOILER.
I use what you seem to want. First, it may sound dumb but have you disabled the auto login after boot on the CLI, the one with the 11 or so options. I don’t remember what’s it called. If you haven’t your system is wide open.
I have been using this for over 13 years and have never had issues. Modified in 2021 to use perl due to trying to make it work with Scale, though I use Core. I don’t even fully remember how it all works now.
As an added precaution I have an auto shut-down script that will shut-down the NAS after 10 Minutes if there are no noted active IP addresses on the list.
I also have a script that will auto unlock a specific pool/dataset when a specific IP is online.
I use the following setup with 4 remote mounted USBs all USBs have to be in and in right order to for decryption to work. USB 2 max cable length is about 5 metres. Yes I still USBs after 14 years.
Note: Passwords are accessible but protection through obfuscation is used. Example, one file amongst dozens has a password. I had tried locking the USBs after it was all done but all attempts failed. That was with GELI, should try with ZFS one day.
USB 1&2 TrueNas Mirror
USB 3&4 Interlocked to decrypt my drives.
If physical box stolen:
USB 1&2 No operating system will annoy basic thieves.
USB 3&4 They will have to know to take them or comeback. They get nothing.
USB 3 is decrypted by Truenas on boot and initiated by post init command launching a script to decrypt USB4, USB 4 will intern decrypt the drives.
You can add extra layers but it makes it more complicated to remember.
If anybody steels it they will need to know to take the drives with them.
Also, as posted above by Frank Ward that link is me when I was converting to Perl for scale. Again thanks to Sretalla for his help.
The above will show you a login prompt. To access the options again after login if you ever need them, at the prompt type: /etc/netcli this will bring back the options.
