Setting up Encryption on a backup drive post-install of TrueNAS

Back when I got my iXsystems hardware, I set up and installed my main dataset as unencrypted. After I got it up and running under CORE, and began setting up backups to a local USB drive, I found out that it was difficult / impossible to encrypt the root dataset after the fact, and also difficult to replicate a non-encrypted dataset to an encrypted one.

My main goal at this point is to have an encrypted Backup drive. I’m not terribly worried about physical theft of the NAS itself (there’s way better targets in my home for a thief to grab), but an offisite backup drive is a prime target for a thief, so I’d like to secure that.

I’m now on SCALE 24.10 - what is the best way to set up my external drives to be encrypted, so that I can export them and take them to a place to store / rotate them out? Do I need to whack my main dataset, and re-create it, or can I encrypt it on the fly now that I am on Scale and replicate it to the backup drive(s)?

At the moment, I have the one drive for onsite backups, but am planing on adding more for offsite. (Having the onsite one encrypted certainly would not hurt, TBH.)

That’s completely possible and supported. I’d recommend you use “passphrase” instead of “key”. This way, you do not need to keep any keyfile safe, nor do you need to worry about someone acquiring the keyfile. (Just don’t forget your passphrase!)

Ah, OK - last time I tried, I was told it was not possible due to limitations of TrueNAS. I’ll try again to see if I can replicate to an encrypted dataset.

Should I be encrypting the root dataset on the target drive? Or doing the encryption as a part of the replication process?

That’s the trick.

You can’t replicate “to” an (already existing) encrypted dataset.

You must manually input the name of the destination dataset, which will be created upon the first time the replication runs.

The latter is less confusing for TrueNAS, and allows more flexibility.

Leave the root dataset unencrypted, but do not create a new encrypted dataset underneath. The replication task, itself, is going to create it on the first tun.

So when you go to “select” the destination, you’ll only see a root dataset on the drop-down selector. From here, you manually type in the name of the desired (and “to be encrypted”) dataset.

Something like this: backup/myfiles

backup is the root dataset, left unencrypted. myfiles is the dataset that will be created when the replication runs for the first time, and will use the encryption properties you configured in the replication task.

@winnielinnie - thank you for this. It had never been explained like that to me before, and now it makes perfect sense. Backup is in progress, and it’s Encrypted!

Thank you!

1 Like

I’ve been playing with zfs replicating both unencrypted and encrypted datasets to a pool with an encrypted root dataset. It has been strange and I don’t understand it yet, but my takeaway thus far is - after the job completes, test the target data thoroughly! Lock and unlock those datasets to make sure you can access them. I’ve had some that I can’t unlock and I don’t understand why. The options were confusing to me while setting up the replication job and I have a mix of unencrypted, unlocked, unlocked by ancestor, and locked which I can’t open. :sweat_smile:
I will also take the advice of using passphrase instead of key files!