TrueNAS does have options to store data on an encrypted Pool or dataset. However as far as I can see that ONLY(!) protects against data access in case
some one has physical access to the NAS and does not have login credentials
However I would like to store data on the NAS in favor of my kids or friend which is not accessible even not for me as admin. So the NAS should behave as an ^untrusted cloud storage^
The fact that every encrypted data set has its own key, does IMHO not help at all since:
its me (admin) who dit create the datasets and do have the keys and
the datasets are opened automatically at startup (they have to)
So, I do need a method where the other side (my friend, my case, me is certain cases) is in control over the encryption from the remote side.
So the encryption credentials / key / password should not be on the TrueNas system.
However it would be nice if TrueNAS system could play a role in the encryption process
access would of course be via a secured connection SSH or VPN
I am looking for methods to implement the described behavoir, but did not found proper solutions yet
SyncThing seems to be working in that direction, but I do not think that is working yet (It should reliable work and it should be possible to recover all data even after losing the source PC (damaged / stolen / etc))
Borg seems to go in that direction, but it is Linux not windows
TrueCrypt would be an good option, but placing the container in a SMB or iSCSI connected dataset has terrible performance.
So I am still scratching the head, hoping for good suggestions
I had a short look at Minio and it seems a very interesting application. But it is far to big and complex to know if it full fills the described requirements. And of course I would also need a simple program on the (windows PC) as interface.
I am afraid that installing and evaluating this interesting idea will take significant time.
Perhaps I will invest that effort, but It would be nice to know in advance if it does full fill the outlined requirements.
By the way, if I try (and I think I will), I will probably create a VM running Ubuntu and install Minio on that VM and provide that VM with a virtual disk (Zvol) on my Z1vol. If some one did that before and could share some experiences …
What makes you think this? Because it sure looks like the feature is there. Your friend shares the folder with you, marks it as untrusted, and chooses a secure password/passphrase known only to him. Restoration if necessary should be the reverse. And, unless the other users are also using TrueNAS (in which case replication would be the way to go), this seems like by far the simplest way to make this happen.
I think you’re solving the problem backwards. Speaking as a cybersecurity consultant, you should consider TrueNAS (and any other rebootable NAS) as insecure because the boot drive needs to retain keyfiles, and once unlocked any process with sufficient privilege can access the keyfiles and the unlocked contents.
The correct control here is to encrypt sensitive data before sending it over the wire to TrueNAS. That’s how encrypted Time Machine backups work, as well as encrypted sparsebundles. For a more cross-platform solution, consider a Cryptomator vault or gpgtar on your client so that the data stored on your SMB or NFS share is never decrypted server-side.
The primary threat model TrueNAS and ZFS protect you from is physical exfiltratration of pool disks, which still leaves the boot drive as a security point of failure unless you have certain hardware encryption guarantees that would prevent access to the boot drive without pre-authentication. Your threat model, on the other hand, requires controls that prevent unencrypted data in transit or at rest on the NAS, so you will need to select a third-party client-side (not server-side) solution.
Cryptomator and macOS encrypted sparsebundles (use Spundle to manage band size on large vdevs though) were explicitly designed for this use case, and VeraCrypt or eCryptFS might serve too. There are other options as well, but they will all be based on trusted client-side decryption of one sort or another.
VeraCrypt is problemantic for NAS because you have to encrypt the whole partition or virtual device at once, which can take a very long time. However, sparsebundles and Cryptomator volumes work differently.
Sparsebundles work in bands (8.6 MiB by default) so they aren’t disk intensive or time consuming to set up. Even larger bands for a 30 TiB partition are a lot smaller than you might think; around 6.7 GiB per band is about right. The Spundle site explains band sizes in detail if you’re curious. The issue is primarily ensuring that they’re large enough to keep directory enumeration from grinding your disks to a halt.
Cryptomator was designed to encrypt individual files on remote volumes like cloud storage, but presents you with a mountable volume locally. There are also clients like MountainDuck or CyberDuck that can mount them for you over SMB, NFS, FTP, or SFTP with all the encryption and decryption done client-side. That’s why I’d recommend that option to you as a good cross-platform solution for the problem you describe. The security is client-side; you don’t have to worry about keyfiles on your TrueNAS boot drive, or having to re-enter passwords to unlock volumes after a reboot; and most of the tools (except MountainDuck) are FOSS.
If you don’t mind locking and unlocking your TrueNAS dataset or zvol when you need it, then you don’t need anything else if you trust the TrueNAS server and the users with console access to it. In that case, just change the encryption for a protected dataset to use a separate password for decryption rather than relying on inheriting the global SED. If you have sufficient privilege, you can lock or unlock that dataset when you need it, and possibly set a cron job to re-lock it after a reasonable timeout period.
It’s always about your threat model. Everything involves trade-offs, but TrueNAS can support your use case one way or another. Good luck!
To store VM-data on a TrueNAS disks there are two basic options:
store the data in a data-set or
store the data in a zvol
The (dis)advantage’s of a zvol are:
the data is fully controlled by the client
no problem to encrypt ^the disk^ from the client side
you can define a ^mr-client^ and only allow that ^person^ to access the zvol from the TrueNas side
the big disadvantage is that the zvol is taking up a lot of space
The (dis)advantage’s of a dataset are:
Big advantage, used disk space is not more that what is actually used
(metadate) vdev etc can be used effectively
At least when using nfs (the logical choice), I have no idea how to limit dataset access from the TrueNas side to ^mr-client^ only. Which is IMHO an absolute requirement. (note that using nfs when using root and full access to ^others^ is working, but IMHO not acceptable)
Using a ZFS encrypted dataset protect the data, with exception for ^root^ and ^mr-client^ (if you manage to solve the issue mentioned above )
It is possible to encrypt files on a per file base by the client, but not to encrypt the disk
My ideal solution would be to:
use a dataset not a zvol and
to limit access to ^mr-client^ and
have the dataset available to a selected user(s) on the VM (not only root)
have the zfs dataset encryption key on the client
Note that nfs also protect the connection to a given IP-address
Problem is that I do not know how to implement this scenario!