Making the long overdue switch from Synology to TrueNAS. Some questions about setup best practices!

While I run my own BGP network and also run BGP at home, I’ve always stuck with Synology for a ‘known good’ NAS appliance. That ‘known good’ era is no longer the case with Synology’s treatment of their customers, and lack of progress vs the market. So, I’m finally making the switch to TrueNAS that everyone has been encouraging me to make!

On my Synology, I have split shares out into their content types (eg, Filing, Photos, Videos, Movies, TV Shows, Downloads). Each share is encrypted using folder encryption with a passphrase.

Some questions I can’t seem to find answers to, or don’t understand fully:

• Encryption should be set at a child dataset level, and not the parents (eg pool) level, correct? So for each of my “shares” on the old Synology, I would create a new dataset on TrueNAS, and then encrypt that dataset?
• If I replicate the snapshots to a new TrueNAS, is the encryption is retained as it’s on the dataset level? And I don’t need to “unlock” the dataset on the target in order to replicate?
• Is it not advisable to use compression or dedupe with an encrypted dataset?
• Can I replicate a dataset to a different location on the target? So a dataset called “Photos” as a child dataset on the source pool/dataset could be a child of a child dataset on the target? (eg /Backups/Photos/)?
• Are there any other suggestions you may have?

Thank you for your guidance! I hope the answers will also help another TrueNAS noob in the future

The short answer is – yes. And the long answer is… long.

AIUI, you have to set up encryption during dataset creation. ZFS will create a (master? not sure about the term) key for the dataset and would never change it. The dataset’s data will be encrypted with this very key. By changing encryption methods/keys/passphrases later, you would actually just change the encryption method of the master key itself.

AFAIK, Windows’ bitlocker works in the same fashion.

Yes, you can do it with “raw” replication. Moreover, replicating an encrypted dataset into an unencrypted dataset is a non-trivial (if even possible) task.

Can’t say for deduplication. AFAIK, data is first compressed and then encrypted. So compression is still beneficial.
Also, encrypted data is usually incompressible. Because a good encryption algorithm outputs somewhat random data. But this is off-topic.

Yes, you can.

I suggest you wait for other answers from more experienced users. For one, @winnielinnie is very avid on this topic.

The answers @swc-phil gave are quite reasonable.

I would add that a review of ZFS capabilities is useful. Some new users want to throw everything at their new NAS, for little to no good reason. So reading up on what ZFS can and can’t do before you actually put data on your TrueNAS is always helpful.