ZFS dataset encryption keys or passphrase?

So I’ve only recently started playing around with dataset encryption and it seems there are two ways with keys or passphrase. The issue I see with keys is that by default they are stored on the system and automatically unlock the dataset at boot meaning if your entire system was stolen then the thief would have access to all your data. Therefore it seems to me that passphrase is the only viable option or am I missing something here?

IMHO you are not. There is one scenario, where keys are useful, though. If you are not addressing potential theft but need all services to start automatically, encrypting with a key means you can throw defective drives in the bin without worrying about secure erasure - which might not even be possible, anymore.

2 Likes

Who are you looking to protect yourself against?
Someone picking it up and walking away? Sure, a passphrase can offer some protection in that case. Unless they also take your laptop where you saved the password. A state actor should probably be assumed to be able to get in either way.

Keys help with individual drive swaps, RMAs, and such. The system dataset holds the keys.

1 Like

Yes. This seems to me like the most likely reason to use encryption at rest as most storage servers are never at rest unless they are being carried out of the data centre.

It is unlocked, but how does said thief actually get the data? They are not logged in, and, any shares they would need to know the password. Not to mention they are a thief, likely not a Truenas user.

  1. Connect a monitor
  2. Connect a keyboard
  3. Press power and wait for the boot to finish
  4. Press 7 for a root shell
  5. Bob’s your uncle

With that in mind I am fine with key based encryption for my home use. Perhaps a datacentre tech needs to prioritise differently.

2 Likes

Sure, IF they had any clue what they were doing with Truenas (why I said “Not to mention they are a thief, likely not a Truenas user.”). For me, not a risk, I don’t even have a port to connect a console to in the server. But agree a datacentre may feel otherwise. Also that can be disabled with the show text console setting (and mine is).

1 Like

Many thanks for all the feedback.

We are seeing more and more in our organisation the requirement for data to be encrypted a rest hence why Im going through this process. Often the people / organisations requesting this don’t fully understand what it means practically however it’s a box ticking exercise. It seems to me that if you are trying to cover all bases then passphrase encryption is the way to go and essentially encrypt a parent dataset with one strong passphrase and then all other sub-datasets fall within that encryption umbrella.

The downside to this is the manual unlocking of datasets after reboot (and on the replica target) but we will just have to work with that and reboots don’t happen all that often and are 99% of the time managed through system updates etc.

I suppose in your organization that is best. Encryption is also good if you ever get rid of drives as they cannot then be decrypted.