I’m aware that child datasets unlock automatically when the encrypted parent is unlocked, but I’m curious if there is a possibility to unlock unrelated datasets all at once when a common passphrase is used? LUKS has this ability (with some configuration) but I’m not sure about ZFS.
Instead of:
/mnt/tank/
crypt/ (passphrase: “pizza123”) ← manually unlock
shared/ ← unlocks
media/ ← unlocks
etc…
Is it possible to do:
/mnt/tank/
shared/ (passphrase: “pizza123”) ← manually unlock
media/ (passphrase: “pizza123”) ← auto unlocks
etc…
EDIT: I’m not asking about pool level encryption 
Not aware of that possibility as described.
Instead of a pool level, you could put everything under a common directory, ie encrypted vs. non-encrypted and segment the pool that way. Unlock the encrypted dataset and all children also decrypt. Ie
/mnt/tank/encrypted/media
/mnt/tank/encrypted/files
/mnt/tank/everything_else
1 Like
Thanks, I think I’ll keep a common encrypted root then.
Though if there’s a common root, I can’t think of a good reason to keep unencrypted datasets outside of it. 
The use case is to protect against both NAS theft (boot disk included) and individual disk disposal / RMA, so might as well protect all the data.
I was just thinking that an unlock option (TrueNAS feature?) to loop through all the encrypted datasets (at least those on the same level) and unlock any for which the entered key / passphrase matches would save us a filesystem hierarchy level.
I don’t imagine it’s something iX customers are begging for, though.
I had an epiphany: what I’m looking for is full-disk encryption that doesn’t have keys stored on the system. 
I think it’s more valuable in the context of a home NAS (think small, easily lifted appliances) because homes are common targets for break-ins, unlike most enterprises.
If a parent encrypted dataset is the only way to do it, is it OK to keep zvols under it as well? Does it create complications with snapshots?
