System Dataset Encryption?

Hi, I’m trying to understand how the encryption keys are saved on TrueNAS.

1. If I use encryption keys to encrypt e.g. pool-1, those keys are then stored in the System Dataset, by default, on the boot-pool, right?

2. If I were to move the System Dataset to encrypted pool-1, what would happen on boot? Complete brick? Or would it ask me to manually input the key?

3. What do I gain by encrypting the System Dataset? I understood that on Scale, System Logs are on the boot-pool, and that cannot be changed (at the time of posting), but what else is on the System Dataset?

4. Boot-pool encryption? Is this possible at all? I’m running TrueNAS as a VM on XCP-ng.

I figure it would be easiest to keep the System Dataset on an SSD (boot-pool), and just encrypt it completely, also blocking off access to any other encryption key. And yes, I am aware this would then require me inputting that key on every boot.

From there, if 4. is somehow possible, the ideal solution for the security oriented homelabber could be having a USB drive attached with the “main” key → System boots, using the “main” key decrypts the boot-pool, which then has decryption keys for all other drives.

I can then unplug the USB before leaving home, knowing that if I need to destroy it, my data would be safe with a simple power cycle.

Any other interesting ideas?

Very interesting thread.

I come from openmediavault where I am using luks for sys discs being unlocked by USB stick. So what you ask for is easily possible with luks. pm me if you are interested. But now zfs native encryption has advantages as well. But how to achieve sys unlock at boot with zfs native encryption?

Also truenas default installer to eat up the whole drive for boot-pool is kind of stupid. In my current omv setup, I have mdadm->luks->lvm. Everything possible in this setup.

Best woud be mirrored, encrypted boot-pool with passphrase to automatically unlock all other datasets by key sitting on encrypted boot-pool.

How to achieve this?