Hi,
I am new to TrueNAS and currently setting up a simple DIY home server NAS.
The goal is to have a simple ZFS mirror and backup data to various sources, ZFS replication is one of these alternatives.
Native ZFS encryption sounds like a great and simple recipe to protect data in case of theft and/or disk warranty. But I am a bit worried after having read posts:
- Is native encryption ready for production use?
- ZFS on Linux → Encrypted ZFS Datasets (pve.proxmox.com)
It raised some questions:
1. Is ZFS encryption sufficiently “stable” for above usage scenario?
This should consider bare ZFS implementation and assume there are no user mistakes. To count as stable, the system should be recoverable without need for backup as minimal requirement.
2. Does TrueNAS mitigate or warn about buggy ZFS encryption configurations?
E.g. warnings in the GUI - or am I on my own here?
3. Regarding ZFS replication + encryption
From what I understand, encr. ZFS replication via zfs send/receive
or Syncoid is prone to errors. Does that mean, replicating the ZFS mirror to an offsite-backup damages the offsite-backup irreparably in worst case? Is this immediately apparant, and am I able to retry this replication, as the main mirror is still intact?
4. Regarding ZFS encryption + deduplication
We do not recommend using GELI or ZFS encryption with deduplication because of the sizable performance impact. (TrueNAS docs)
Hm, are there some measure to support the “sizable performance impact” statement? For me both encryption and deduplication are main selling factors for ZFS, so a bit sad to read that recommendation.
5. Unencrypted boot-pool data leaks
For encrypted data at rest, child datasets need to be encrypted with a passphrase, as keys are exposed in the unencrypted boot partition (see also here). Apparently some meta data is still stored in the unencrypted boot pool - is there a comprehensive list somewhere in the docs? If it’s only the names of datasets and snapshots, I am fine with that.
(6. Tips on using TrueNAS Core/Scale under Proxmox?)
I am thinking of installing Proxmox as host with ZFS and TrueNAS in a VM, passing through all SATA controllers. Optimally this could result in full-disk encryption of Proxmox host incl. VMs, headless pre-boot passphrase (Dropbear), and ZFS filesystem-encryption for all HDDs natively managed within TrueNAS VM. With this configuration I also could use ZFS dataset keys, as protected by outer layer encryption.
Sorry for these many questions - please don’t hesitate to answer a single one, so I can subsequently get more clarity on this topic. Thanks!