When trying to harden security on your TrueNAS system you may wish to A. enable 2FA and B. lock the console screen to prevent anyone who gained physical access to your TrueNAS from accessing the data, changing the root password or generally causing it any harm. However if someone forced a reboot on your TrueNAS and booted into an earlier boot environment such as ‘initial install’ this would allow the person to essentially go back in time to before console screen was locked and 2FA was enabled allowing the person to reset the root password from the console once booted and completely avoid 2FA at login. A potential fix would be that when you enable 2FA you are prompted with a suggestion that you may wish to delete prior boot environments to prevent this issue from arising.
With physical access to the system you can always boot FreeBSD or Linux and just import the pools. If the BIOS is password locked, connect the disks to a different system, import the pools …
Other than via encryption at rest you cannot protect data if the attacker has physical access to the media.
As has been said before, if someone motivated enough gets physical access to your system all bets are off. The amount of hardening required to plug all avenues of entry spikes at that point.
Post your suggestion to (offer to) remove past unprotected boot environment if 2FA is enabled, easiest would be using the WebUI button on your running system.
Even if a malicious user has physical access to your computer, there are other simple solutions to safeguarding your data, which can even be done remotely with the press of a button.
