Beginner Questions on Encryption

[thomas-hn]

Hello,

regarding the encryption of datasets in TrueNAS I already read a lot of posts here in the forum. Nevertheless,there are still some points I have not fully understood, yet.

The main goals for me are:

• Having the possibility to return HDDs and SSDs in case of warranty without any concerns about the data on them.
• Having the data on the "main dataset" be secured, even in case of theft of the server.

Therefore, I plan to:

• Having an SSD boot pool.
• Having an HDD data pool.
  • Encrypting the HDD data pool via Key.
• Placing the System Dataset onto the HDD data pool (that the system dataset inherits the encryption).
  • Ensures that noone can access the metadata on the system dataset in case of warranty return of an HDD.
  • Ensures that the SSD is not stressed too much by the System dataset writes.
• Placing my real data into a dataset below the HDD data pool and encrypting it via Passphrase.
  • Even on theft of the server the data will be secure.

Question 1)
If there is the HDD data pool encrypted via Key and below it there is a dataset encrypted via Passphrase, will we have a double encryption in this case or is the dataset below only encrypted via Passphrase, completely independent of its parent?

Question 2)
With this setup the Keys of the encryption are still stored unsecured on the SSD boot pool.
Is it possible to locate the keys instead on an attached USB thumb drive?
This would allow to easily return even the SSDs in case of warranty without worrying about the Keys.
As the keys are only read and not written regularly, the USB thumb drive should last a long time and even if it fails is it less expensive to throw the thumb drive away, instead of an SSD.

Question 3)
Is it possible with the latest TrueNAS versions to encrypt the boot pool via passphrase?
Meaning, that the system can only start-up after entering the correct password, similar to Bitlocker.

Question 4)
The ZFS encryption does not hide/encrypt/obfuscate the names of datasets and snapshots.
Does this mean that all dataset names of the following example are open to everyone or will the name 'foobar' only be visible after unlocking 'mydata'?

• root dataset (keybased encryption)
  • mydata (passphrase 1 encryption)
    • foobar (passphrase 2 encryption)

Question 5)
Even if the question is not directly allocated to encryption:
Would it be fine to locate the System Dataset on an Enterprise SSD or should SSDs be avoided in all cases?

Thanks a lot,

Thomas

 

[joeschmuck]

Question 1) as far as I'm aware, a pool gets one encryption method not multiple. I thought I read that in the User Guide, maybe not.
Question 2) The key is encrypted in file 'pwenc_secret'. The key must be in a specific location on the boot drive as far as I'm aware.
Question 3) Not that I'm aware but I don't know encryption well, I'm just dabbling in it now.
Question 4) I don't know.
Question 5) A SSD is preferred over USB Flash Drive.

I would recommend that you grab a copy of VMWare Workstation (Free) and create different versions of TrueNAS, experiment. This is exactly what I do when I need to understand something. And I can destroy it when done.

 

[winnielinnie]

Question 1) as far as I'm aware, a pool gets one encryption method not multiple. I thought I read that in the User Guide, maybe not.

It's actually one encryption master key per dataset. (And hence one decrypt/encrypt process. Encryption of child datasets doesn't get "nested" with multiple layers.)

Is it possible with the latest TrueNAS versions to encrypt the boot pool via passphrase?

I believe it's possible with vanilla FreeBSD / ZFS, in the same light that's it's possible with Linux and LUKS. It requires partitioning a non-encrypted space on the boot drive, with just enough to unlock and access the entire OS and boot-pool. Not possible (well, not "supported") with TrueNAS. You'll just end up breaking your system.

The ZFS encryption does not hide/encrypt/obfuscate the names of datasets and snapshots.
Does this mean that all dataset names of the following example are open to everyone or will the name 'foobar' only be visible after unlocking 'mydata'?

Everything available to zpool and zfs commands are available, even when all datasets are "locked".

It doesn't matter how far "down" a child dataset is in the hierarchy.

 

[thomas-hn]

Thank you very much so far . This helped me a lot in my understanding of TrueNAS encryption.

At the moment, the following two points are still not fully clarified:

Question 2)
With this setup the Keys of the encryption are still stored unsecured on the SSD boot pool.
Is it possible to locate the keys instead on an attached USB thumb drive?
This would allow to easily return even the SSDs in case of warranty without worrying about the Keys.
As the keys are only read and not written regularly, the USB thumb drive should last a long time and even if it fails is it less expensive to throw the thumb drive away, instead of an SSD.

Question 5)
Even if the question is not directly allocated to encryption:
Would it be fine to locate the System Dataset on an Enterprise SSD or should SSDs be avoided in all cases and HDDs should be used?

Maybe, someone else here who has some knowledge on these two points?

 

[Davvo]

2) I don't think having just the keys on the USB drive it's something supported by TN.
5) IIRC the system's dataset has to be on an unencrypted pool; beside that it's suggested to place the system's dataset on SSDs.

Wait for @winnielinnie, I know it sounds a joke but on this forum he's one of the highest authorities regarding encryption.

 

[thomas-hn]

5) IIRC the system's dataset has to be on an unencrypted pool; beside that it's suggested to place the system's dataset on SSDs.

Will consumer SSDs be fine for this or does it need to be en Enterprise SSD for the System Dataset?

 

[winnielinnie]

Wait for @winnielinnie, I know it sounds a joke but on this forum he's one of the highest authorities regarding encryption.

Encryption makey the data more not readable because it makey random scramble lol...! Use it to scramble data for bad people not to read it... but you can read it when you do good thing. Me likey how encryption workey lol.

Winnie The Encryption Expert signing out!

Is it possible to locate the keys instead on an attached USB thumb drive?

Possible with vanilla FreeBSD / ZFS, but not with TrueNAS Core. You can always finesse a custom way to do this, but it's not supported by TrueNAS as-an-appliance. In fact, TrueNAS is designed to have the System Dataset immediately available upon bootup. So if you store your key elsewhere, and for some reason the USB is not plugged in or has died, then important datasets which need to be available will not unlock at bootup. (It's also for this same reason why you cannot use a passphrase for the System Dataset nor its parent root dataset.)

The "keylocation" is the dataset's property that can do this. But what TrueNAS does is store an encrypted form of the key(s) in the freenas-v1.db database file, which it extracts and loads when you reboot.

 

[NugentS]

Consumer is fine.

 

[thomas-hn]

After playing a bit with TrueNAS CORE running on a VM (just as a playground), I got some better feeling of all the stuff.
For my real setup I will:

• Create a boot pool of SSDs.
• Create a data pool of HDDs.
• Encrypt the Data Pool via Key.
• Locate the System Dataset on the Data Pool
  • The System Dataset will be accessible on system startup via the key that is located on the boot pool.
• Locate my main dataset on the Data Pool, but encrypted with Passphrase.
  • Ensuring that my data is secure in case of theft of the server and in case of warranty return of any drives of my data pool.
  • I accept the drawback that I have to enter the passphrase manually on each server startup.

My thoughts:

• In case an HDD fails, I can return it for warranty without having any fear about my data (because it is encrypted via the passphrase).
• In case an SSD fails, I can return it for warranty without having any fear about my data if I change the Key of my Data Pool, afterwards (everyone using the key on my warranty returned SSD will not be able to use it to access my Data Pool, afterwards. So all data, including the System Dataset are secure).
• Could you please check my thoughts above and agree or disagree on them?

The point I still have concerns is the case that the whole server is stolen. In this case the thief will not be able to access my data (because it is encrypted via the passphrase), but the thief could access my System Dataset.

• What critical data could be extracted by an attacker in this case? Is it only the names of pools, datasets and logfiles or anything else?
• What critical parts could be extracted from the logs? I assume they could be really detailled and give insights on the stored data.
• Is there any possibility to secure the content of the System Dataset in case of theft of the whole server? (a private server is not protected as good as in a big company, but the data might have the same importance to the owner)
• How do you name your pools and datasets to not give details to an attacker that gets access to the System Dataset?

 

[Davvo]

The point I still have concerns is the case that the whole server is stolen.

• What critical data could be extracted by an attacker in this case? Is it only the names of pools, datasets and logfiles or anything else?
• What critical parts could be extracted from the logs? I assume they could be really detailled and give insights on the stored data.
• Is there any possibility to secure the content of the System Dataset in case of theft of the whole server? (a private server is not protected as good as in a big company, but the data might have the same importance to the owner)
• How do you name your pools and datasets to not give details to an attacker that gets access to the System Dataset?

If a thief enters my house I doubt they will be interested in my heavy server under the desk; if someone is physically targeting your specific data, you shouldn't keep them at home.
I think that SED is what you need for the kind of protection you want: afaik if your boot drive is a Self-Encrypting Drive you have to unlock it in order to boot the system; there is a very informative thread about SED and encyption somewhere in the forum, maybe in the archivied General Help section.

However dealing with a threat level of this type is beyond standard "home user" procedure and might require additional hardware and configuration (ie using TPM).​

 

[thomas-hn]

I think that SED is what you need for the kind of protection you want: afaik if your boot drive is a Self-Encrypting Drive you have to unlock it in order to boot the system; there is a very informative thread about SED and encyption somewhere in the forum, maybe in the archivied General Help section.​

If the boot drives are SED encrypted, how is the passphrase entered during boot? Which part of software will take care about it? As TrueNAS cannot start if the boto drive is encrypted, will the (UEFI-)BIOS ask for the SED passphrase to unlock the drives?

And does someone here know how SED encrypted drives will behave if I simply move them to another system to use them there for storage? Could the drives simply be partitioned/formated on the new system or will the password be need to generally access them? (just to understand SED)

 

[Davvo]

If the boot drives are SED encrypted, how is the passphrase entered during boot?

IIRC, and it's a big IIRC, you have to manually enter it in the system (NOT the WebUI) at every startup.

And does someone here know how SED encrypted drives will behave if I simply move them to another system to use them there for storage? Could the drives simply be partitioned/formated on the new system or will the password be need to generally access them? (just to understand SED)

IIRC, and again it's a big IIRC, without the "passphrase" (it's not really a passphrase) you cannot acces the drives. But it depends on the SED itself since there are different level of compliance (more correctly, there are different specifications).