Problem/Justification
(What is the problem you are trying to solve with this feature/improvement or why should it be considered?)

Encryption keys for datasets are stored effectively in plaintext on disk. I am aware of /data/pwenc_secret, but as it sits unencrypted on disk, everything it protects is also effectively unencrypted.

Physical access to the machine running TrueNAS means attackers can trivially extract all data in datasets that are protected by TrueNAS encryption keys (instead of passphrases). This includes everything else that /data/pwenc_secret protects, like cloud credentials for off-site backup.

I understand why: the goal is for TrueNAS to automatically unlock datasets that use encryption keys on reboot. But there’s a more secure way to achieve that goal, and it’s TPM encryption. Using the TPM to encrypt /data/pwenc_secret would require extracting secrets from the TPM and that’s MUCH harder than just reading the contents the boot drive and would still allow opening all encryption key datasets automatically on reboot.

Coupled with:

• Show Text Console without Password Prompt: disabled in TrueNAS Advanced Settings
• SecureBoot support
• TPM enrollment with PCRs, probably 7, 9 and 11 (see systemd-cryptenroll man page)

And the system would be significantly more secure against physical access to the host machine. Attackers could not load a malicious kernel to access data (due to TPM PCRs and SecureBoot). The web interface and physical console access are protected by the user’s login password. SSH access is protected by SSH keys. NFS shares are protected by Kerberos (if set up), etc.

The only way to access the data in the secure partition would be through either:

• Extraction of secrets stored in the TPM. Only NSA-level attackers posses that capability which is outside of most people’s threat model.
• Extraction of decrypted data from the RAM modules after reboot while the system is running. This requires significant electrical engineering expertise and equipment; same thing as above, attackers that can overcome this are outside of most people’s threat model.
• Zero-day exploits in TrueNAS network services, but that’s par-for-the-course.

Why not just use dataset encryption passphrases?
Two reasons:

• You have to provide it after every TrueNAS reboot (power loss events).
• Does not protect cloud credentials stored in TrueNAS.

Impact
(How is this feature going to impact all TrueNAS users? What are the benefits and advantages? Are there disadvantages?)

Every TrueNAS user would benefit from significantly more secure data. Datasets encrypted with encryption keys and cloud credentials would be reasonably secure from physical access to the host.

Users using passphrases to encrypt datasets could switch to using encryption keys and benefit from automatic unlock after power loss.

User Story
(Please give a short description on how you envision some user taking advantage of this feature, what are the steps a user will follow to accomplish it)

The user installs TrueNAS. The installer detects a TPM is available (modern Intel and AMD CPUs have a TPM on-die) and creates a secure partition (see Implementation Overview below) to store /data/pwenc_secret. On Debian, cryptsetup and cryptsetup-initramfs (or systemd-cryptsetup) automatically unlock the partition by reading /etc/crypttab during the initramfs stage.

The user’s datasets that use encryption keys and any cloud credentials provided to TrueNAS are kept reasonably secure from physical access to the host.

Implementation Overview

Since TrueNAS is based on Debian, this is reasonably simple to implement. systemd-cryptenroll natively supports TPM2 key enrollment (with --tpm2-device=auto). systemd-repart—if configured and called during the TrueNAS install process—can even call it automatically.

Here’s a high-level implementation overview:

• During TrueNAS installation, the installer would create a small partition on the boot drive to store /data/pwenc_secret and any other sensitive OS (non-user) data. That partition would be LUKS encrypted.

Example of a systemd-repart config file for that partition:

Label=keystorage
Type=linux-generic
# Small, 10 MB partition for just keys. Could be much smaller.
SizeMinBytes=10M
SizeMaxBytes=10M
# Automatically calls `systemd-cryptenroll --tpm2-device=auto`
Encrypt=tpm2
# This causes systemd-repart to write out an /etc/crypttab; 
# use `--generate-crypttab=`
EncryptedVolume=keystorage:none:luks,discard
# Specify where this partition gets mounted;
# use `--generate-fstab=`
MountPoint=/keystorage

Install cryptsetup and cryptsetup-initramfs Debian packages to get unlock during the initramfs stage.

Relevant man pages

After installing the necessary packages, I recommend reading the following man pages:

• man systemd-cryptenroll
• man systemd-repart
• man repart.d
• man crypttab
• man cryptsetup
• man systemd-cryptsetup
• man systemd-cryptsetup-generator

How would this impact a system which does not have TPM2 ?

When I open the file /data/pwenc_secret it looks encrypted to me, but this part of computing is not something I’m very familiar with.

pwenc_secret is the key needed to decipher certain entries in the freenas-v1.db database. If you have both, it’s trivial to retrieve someone’s encrypted dataset keystrings.

Does this also apply to the passphrase/prompt case?

No. Passphrases are not saved and must be entered every time to unlock the dataset.

This idea of storing the dataset keystrings on a plain, unencrypted boot-pool, protected only by another key that is also stored in the same directory, is a TrueNAS thing.

It’s designed like this so that your datasets automatically unlock after each reboot.

You might ask: “Why can’t we choose which datasets are automatically unlocked at boot? This way we don’t need to store the encryption keys on a plain boot-pool?”

Good question.

Nah, I don’t care .

Yup, I had a bit of a double-take when I saw that…

It’s actually even more concerning that I described. Hold tight:

• You are using a passphrase protected dataset that has to be manually unlocked after every reboot. You’re good, right?
• Ha, no. If you care about that data enough to encrypt it, you also likely care enough to have off-site backup set up for it. Let’s say you’re using TrueNAS’s Cloud Sync feature.
• Where are the credentials for that Cloud Sync you entered stored? In /data/factory-v1.db. It doesn’t matter if those credentials are “encrypted” with /data/pwenc_secret, that file is in plaintext on disk.
• If somebody gets physical access to your TrueNAS machine (perhaps quietly, while you are away from it), they can trivially read /data/pwenc_secret, then get whatever they want from /data/factory-v1.db, including your cloud credentials and read your cloud backups.
• “But I encrypt my backups!” Great! Where do you think that backup encryption key is stored? In /data/factory-v1.db, of course!

Anyone with physical access to your FreeNAS machine can access all data that is backed up with Cloud Sync, no matter how it is encrypted in FreeNAS (key or passphrase), even if you tell Cloud Sync to encrypt the data before uploading it (that password is also trivially accessible).

So no, passphrase-based encryption does not protect your data if you use Cloud Sync.

All of this is defeated with TPM key storage (modulo nation-state attackers), which really isn’t that hard.

The key in /data/pwenc_secret is randomly generated data, but it is not encrypted.

I don’t know what to say other than I agree. Unfortunately, I don’t think iX will accept this request. It requires a rehaul of how to handle the boot process and it might creep too closely to their “enterprise exclusive” features.

There is a typo in your reply. The file you’re referring to is freenas-v1.db, not factory-v1.db.

Correct, I copy-pasted the wrong filename. I don’t have edit rights yet so I can’t edit my post to fix it.

Look what I found… from over 6 years ago.

Sure, your encrypted dataset keystrings and cloud credentials can be retrieved by someone that has physical access to your boot drive or server, including theft.

This can easily be mitigated by using an industry-standard security protocol.

Wonderful.

Well I guess it’s time to manually set up OpenZFS on Debian + rclone. Yay, more work…