Hello,
I’ve wanted to upgrade my unencrypted pool to encrypted and I have two TrueNAS systems. I was wondering if the steps I outlined below would work to do this. Has anyone done this before? Is there anything here that I’m missing?
My plan to implement encryption. Note that everything on the unencrypted pool (A) is a dataset. I have no zvols. I’d create an encrypted pool on TrueNAS (B) then do a “Full Filesystem Replication” and “inherit encryption” replication task from my unencrypted pool (A) to my encrypted pool (B). I’d do a sanity check that the data is intact and then delete my unencrypted pool on (A).
I’d create a new encrypted pool on (A) and then create a replication task on the encrypted system (B) also with “Full Filesystem Replication” and “inherit encryption” enabled to replicate to the newly created encrypted pool on (A). I’d export and save each pools unique key.
Would this work to enable encryption on a previously unencrypted pool?
This method produces two separate keys on each TrueNAS which I can change to be the same key if i wanted in the GUI tools
Thanks for the help,
Max
What does your setup look like right now?
Do you have a root dataset on Pool A where children are nested directly beneath it? This is important.
If you’re not using a setup like this, then there’s extra consideration for the replications, if you want to maintain the same hierarchy and layout.
Sadly, the way ZFS was originally designed introduces some weird issues with replication. When a pool is created, it immediately creates a mandatory “root dataset” with the same name as the pool.
To add more flexibility, you can create “pseudo root datasets” underneath for easier management, especially when it comes to logical separation and replicating encrypted datasets.
Think of the “root dataset” as an empty extension of the pool itself, while the “pseudo root datasets” are glorified keychain holders. No files will be saved within.
Hello, there are a few things that I’m actually confused about and feel there are some inconsistencies with some terms in ZFS and terms in TrueNAS. I’m sorry if this feels pedantic, but I’d just like to make sure my understanding is correct.
When you first setup TrueNAS and create a “Pool”. You select Storage and then select the devices in storage to create vdev’s. This is where the pools live or rather by TrueNAS terms “Datasets”. These “Datasets” are actually Pools, correct? Please forgive me regarding my setup below this was my first TrueNAS configuration and I’m still learning.
Based on your question and my understanding of ZFS. Backup and main are both pools. SMB_general and Syncthing are both dataset’s and both root datasets. They have no children.
The way these are setup right now is that “main” is replicating to “backup”. You can see they share relatively the same size.
I plan to rename everything. The new encrypted pool will be “tank” (B), and I will keep everything under one pool. I’ll then delete both of these pools main and backup on (A). I’d create a new pool on (A) with a different name encrypted, and replicate from (B) → (A) once with the “Full Filesystem replication” and “inherit encryption” enabled. Then I will setup a replication task between (A) → (B). I want (A) to always be my primary NAS because it’s geographically closer to me.
No. Datasets are not pools.
Devices construct vdevs.
Vdevs construct pools.
Pools offer capacity (preferably with redundancy from redundant vdevs), which can offer logical filesystems called “datasets”.
A pool can be comprised of one vdev. It can also be comprised of multiple vdevs.
flowchart TD
style pool1 stroke:green,stroke-width:4px
style vdev1 stroke:green,stroke-width:2px
style vdev2 stroke:green,stroke-width:2px
hdd1[[8-TiB<br>HDD]]
hdd2[[8-TiB<br>HDD]]
hdd3[[8-TiB<br>HDD]]
hdd4[[8-TiB<br>HDD]]
vdev1((8-TiB<br>mirror vdev))
vdev2((8-TiB<br>mirror vdev))
pool1[(16-TiB pool)]
ds1{dataset}
ds2{dataset}
ds3{dataset}
ds4{dataset}
hdd1 === vdev1
hdd2 === vdev1
hdd3 === vdev2
hdd4 === vdev2
vdev1 === pool1
vdev2 === pool1
pool1 -..- ds1
pool1 -..- ds2
pool1 -..- ds3
pool1 -..- ds4
I’m talking about the menu selection Datasets, and not the “Add Dataset” button. I understand that a Dataset is for an SMB share or something that acts like a fileystem. The Datasets selection in the left menu is a Pool, right?
So, in this image below the Pool is called “Tank”?
This is why I think the original design for ZFS was a mistake.
That thing in your screenshot is the “root dataset”. The root dataset is still a dataset. It is also named the same as the pool itself.
EDIT: To better help understand. In the command-line, any commands that start with zfs deal with datasets (and zvols and snapshots). Any commands that start with zpool deal with pools (and vdevs).
In the GUI, you only deal with datasets under the “Datasets” section.
1 Like
Hello, here is a text diagram of what I plan to do to upgrade my encryption and then implement the pseudo roots moving forward. I read through a lot of your past posts, thank you for sharing your knowledge! I was able to extrapolate the below diagram from your recommendations. I wasn’t sure of the implications of an un-encrypted true root dataset. Is it generally better to have your default true root dataset un-encrypted? I saw you mentioned it in one of your posts.
With each of these replication tasks do I need to tick the inherit encryption of the other one?
Does this plan look sound?
#—————————STAGE 0—————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
SITE A - This is the current state of SITE A | SITE B - This is the current state of SITE B
|
Main <----- TRUE-ROOT - NOT ENCRYPTED | SiteB-TrueRoot <----- TRUE-ROOT - NOT ENCRYPTED
│ | │
├── SMB_General <---DELETE | ├── SiteB-NVMEStrg <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE
├── Syncthing <---DELETE | │ ├── SiteB-VMStorage <-- ZVOL DATA HERE
│ | │ ├── SiteB-Misc. <-- ZVOL DATA HERE
│ | │ └── SiteB-Misc. <-- ZVOL DATA HERE
│ | │
│ | └── SiteB-SSD2TB <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE
├── SMB_General (NOT ENCRYPTED) >--------------REPLICATION-STAGE0-----------------------|------> ├── SiteB-SMB <-- DATA HERE SMB
├── Syncthing (NOT ENCRYPTED) >--------------REPLICATION-STAGE0-----------------------|------> └── SiteB-Syncthing <-- DATA HERE
|
#—————————STAGE 1——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
SITE A - Rebuild | Site B - replication TASK from zvols to SITE A and recovery of Encrypted Data to Site A
|
SiteA-RealRoot <----- TRUE-ROOT - NOT ENCRYPTED | SiteB-RealRoot <----- TRUE-ROOT - NOT ENCRYPTED
│ | │
├── SiteA-SSD500gb <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE <-----REPLICATION-STAGE1----|--<├── SiteB-NVMEStrg <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE
│ ├── SiteA-VMStorage <-- ZVOL DATA HERE | │ ├── SiteB-VMStorage <-- ZVOL DATA HERE
│ ├── SiteA-Misc. <-- ZVOL DATA HERE | │ ├── SiteB-Misc. <-- ZVOL DATA HERE
│ └── SiteA-Misc. <-- ZVOL DATA HERE | │ └── SiteB-Misc. <-- ZVOL DATA HERE
│ | │
└── SiteA-SSD1TB <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE <-----REPLICATION-STAGE1----|--<└── SiteB-SSD2TB <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE
├── SiteA-SMB <-- DATA HERE SMB | ├── SiteB-SMB <-- DATA HERE SMB
└── SiteA-Syncthing <-- DATA HERE | └── SiteB-Syncthing <-- DATA HERE
|
#—————————STAGE 2——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
SITE A - The final form | SITE B - The final form
|
SiteA-RealRoot <----- TRUE-ROOT - NOT ENCRYPTED | SiteB-RealRoot <----- TRUE-ROOT - NOT ENCRYPTED
│ | │
├── SiteA-SSD500gb <-- PSEUDO ROOT ENCRYPTED NO DATA HERE <----REPLICATION-STAGE2---|--<├── SiteB-NVMEStrg <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE
│ ├── SiteA-VMStorage <-- ZVOL DATA HERE | │ ├── SiteB-VMStorage <-- ZVOL DATA HERE
│ ├── SiteA-Misc. <-- ZVOL DATA HERE | │ ├── SiteB-Misc. <-- ZVOL DATA HERE
│ └── SiteA-Misc. <-- ZVOL DATA HERE | │ └── SiteB-Misc. <-- ZVOL DATA HERE
│ | │
└── SiteA-SSD1TB <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE >-----REPLICATION-STAGE2--|-->└── SiteB-SSD2TB <-- PSEUDO-ROOT ENCRYPTED NO DATA HERE
├── SiteA-SMB <-- DATA HERE SMB | ├── SiteB-SMB <-- DATA HERE SMB
└── SiteA-Syncthing <-- DATA HERE | └── SiteB-Syncthing <-- DATA HERE
|
I think so? I’m confused by Stage 2. Why are you going in the opposite direction for SiteA-SSD1TB → SiteB-SSD2TB ? It already exists on Site B.
The names also seem odd. “SSD” and “XTB” make it seem like you’re dealing with separate pools of particular devices. Why is a “size” in the name of the datasets?
For TrueNAS? Yes, yes, yes, yes, and yes. It will ave you a future of headaches.
The only caveat is that your System Dataset (.system) and Apps dataset (ix-virt, ix-apps) will be unencrypted.
What do you mean by this? Are you referring to after the one-time migration replication completes?
