I am working on my first TrueNAS Scale instance and am running version Dragonfish-24.04.2.
I recently created my first pool (“main-20240716”), which is encrypted, using all of my available HDDs. TrueNAS is installed on a separate SSD.
I created this first pool for testing, but would like to delete it and start over. For one, I would like to create a pool with a much shorter name to minimize the risk of running into a path length limitation (I am migrating an old NAS and some of the paths are very long). I don’t see any way to rename the pool, and I can’t create another pool because I have no more available drives. This may not be a “good” reason to delete the pool, but now that I see the following, I am curious about this, even if there is a better solution here.
In the Storage dashboard, if I click the Export/Delete button on the main-20240716 pool, I see a dialog with the following message:
"This pool contains the system dataset that stores critical data like debugging core files, encryption keys for pools, and Samba 4 metadata such as the user/group cache and share level permissions. Exporting this pool will transfer the system dataset to another available pool. If the only available pool is encrypted, that pool will no longer be able to be locked. When no other pools exist, the system dataset transfers back to the TrueNAS operating system device.
WARNING: Exporting/disconnecting pool main-20240716. Data on the pool will not be available after export. Data on the pool disks can be destroyed by setting the Destroy data option. Back up critical data before exporting/disconnecting the pool.
These services depend on pool main-20240716 and will be disrupted if the pool is detached:
Kubernetes:
main-20240716
"
I am confused by this:
Why would this pool contain “the system dataset”? Judging by the dialog, it sounds as though it was on the OS drive, but was moved to the pool upon creating it. If this is the case, why? Presumably, it was fine on the OS drive, so why not keep it there?
How does this pool contain “encryption keys for pools” if this is the only pool I created, it is encrypted, and the OS needs the key to decrypt this pool on startup?
All I want to do is get my system back to the state it was before I created this pool. Would choosing the “Destroy data on this pool?” and “Delete saved configurations from TrueNAS” options achieve this and allow me to create a new pool without side effects from this action?
Because it is assumed your data pool has better resiliency than your boot pool.
IIRC those are stored in the system dataset or in another place that’s in plain text, but @winnielinnie is our local encryption guru; I am more than a bit rusty regarding encryption, wait for other users’ confirmation.
Understood and good point. This is an unexpected side effect, however. I think more communication in the UI is warranted. If, for example, I was setting up a new system and wanted to create 3 pools, I wouldn’t expect the OS to arbitrarily choose a pool to store data on. I would prefer to make that decision. In this case, I created this pool for testing.
Any pool beyond the boot pool is a data pool, hence the default behaviour is to move the dataset to the first pool you create if I do not remember wrong; you should be able to easily put the dataset back in the boot pool, or any pool, though.
I gotcha. But still - I do intend to create a single-disk pool (fast NVMe) for VM usage or swap space. If I had created that one first, then it would be no better than the boot drive/pool for resiliency, so it wouldn’t make much sense for the OS to move the system data there.
It would be nice to get some clarification on this. I was under the impression that the encryption keys were not stored on the same drives as the pool being encrypted by said keys so that you could dispose of your data drives without needing to wipe them. However, if the encryption keys really are stored in the pool that these drives compose, isn’t that a security risk?
Keep in mind that you want to make a habit of exporting and keeping safe:
your dataset(s) encryption keys
your TrueNAS config file with the “secret seed”
The first one does not need to be done at a dataset-by-dataset level. You can do it from the Pools page, and export all the encryption keys for all relevant datasets (i.e, “encryptionroots”) in the pool with a single click.
