Question: what if I am fully locked out of truenas (2FA, time sync, ssh off, boot drive fail, ect)

Why:
It seems 2FA issues are common and since I do not have physical access control to the hardware, I need to lock it down. Here is a list of probable situations which might lead to a complete lock out:

  • Turned off counsel access so people cannot walk up with a monitor and keyboard and gain access to all my data
  • Passphrase protected all datasets
  • Bios time sync 2FA fail
  • General 2FA fail such as key lost
  • Boot drive completely fails
  • Fire

How:
What is the most appropriate way to regain access to data and recover functionalities(apps, shares, credentials) if the data drives are all intact and passphrases are available but the boot drive is completely burned down?
What is everything to keep an off-site copy such as config files, passphrases, and what else?

Others may add items, but this is what I would do;

  • Un-used boot device appropriate for your hardware, (aka SATA 2.5", NVMe or USB to SATA/NVMe device)
  • Install image of the exact TrueNAS version you are using, on a USB boot device. Update as you update the NAS.
  • Current copy of configuration
  • User names and password(s) used for GUI / SSH login
  • All the passphrases of the ZFS encrypted datasets

That requires on-site work.

Note that it is possible to password protect the console. That may not be enough for you, so disabling the console may seem more appropriate. But, without console, some recovery methods will require reloading the boot device and restoring the current configuration. That requires on-site work.

Now if you need to move your ZFS data pool disks to another / new server, that is possible. Just install as normal, and restore the current configuration. If the network hardware changed, you will need to reconfigure on the console. Which could be problematic if after restoring your configuration, the console is disabled. Catch-22.