Hello,
regarding the encryption of datasets in TrueNAS I already read a lot of posts here in the forum. Nevertheless,there are still some points I have not fully understood, yet.
The main goals for me are:
If there is the HDD data pool encrypted via Key and below it there is a dataset encrypted via Passphrase, will we have a double encryption in this case or is the dataset below only encrypted via Passphrase, completely independent of its parent?
Question 2)
With this setup the Keys of the encryption are still stored unsecured on the SSD boot pool.
Is it possible to locate the keys instead on an attached USB thumb drive?
This would allow to easily return even the SSDs in case of warranty without worrying about the Keys.
As the keys are only read and not written regularly, the USB thumb drive should last a long time and even if it fails is it less expensive to throw the thumb drive away, instead of an SSD.
Question 3)
Is it possible with the latest TrueNAS versions to encrypt the boot pool via passphrase?
Meaning, that the system can only start-up after entering the correct password, similar to Bitlocker.
Question 4)
The ZFS encryption does not hide/encrypt/obfuscate the names of datasets and snapshots.
Does this mean that all dataset names of the following example are open to everyone or will the name 'foobar' only be visible after unlocking 'mydata'?
Even if the question is not directly allocated to encryption:
Would it be fine to locate the System Dataset on an Enterprise SSD or should SSDs be avoided in all cases?
Thanks a lot,
Thomas
regarding the encryption of datasets in TrueNAS I already read a lot of posts here in the forum. Nevertheless,there are still some points I have not fully understood, yet.
The main goals for me are:
- Having the possibility to return HDDs and SSDs in case of warranty without any concerns about the data on them.
- Having the data on the "main dataset" be secured, even in case of theft of the server.
- Having an SSD boot pool.
- Having an HDD data pool.
- Encrypting the HDD data pool via Key.
- Placing the System Dataset onto the HDD data pool (that the system dataset inherits the encryption).
- Ensures that noone can access the metadata on the system dataset in case of warranty return of an HDD.
- Ensures that the SSD is not stressed too much by the System dataset writes.
- Placing my real data into a dataset below the HDD data pool and encrypting it via Passphrase.
- Even on theft of the server the data will be secure.
If there is the HDD data pool encrypted via Key and below it there is a dataset encrypted via Passphrase, will we have a double encryption in this case or is the dataset below only encrypted via Passphrase, completely independent of its parent?
Question 2)
With this setup the Keys of the encryption are still stored unsecured on the SSD boot pool.
Is it possible to locate the keys instead on an attached USB thumb drive?
This would allow to easily return even the SSDs in case of warranty without worrying about the Keys.
As the keys are only read and not written regularly, the USB thumb drive should last a long time and even if it fails is it less expensive to throw the thumb drive away, instead of an SSD.
Question 3)
Is it possible with the latest TrueNAS versions to encrypt the boot pool via passphrase?
Meaning, that the system can only start-up after entering the correct password, similar to Bitlocker.
Question 4)
The ZFS encryption does not hide/encrypt/obfuscate the names of datasets and snapshots.
Does this mean that all dataset names of the following example are open to everyone or will the name 'foobar' only be visible after unlocking 'mydata'?
- root dataset (keybased encryption)
- mydata (passphrase 1 encryption)
- foobar (passphrase 2 encryption)
- mydata (passphrase 1 encryption)
Even if the question is not directly allocated to encryption:
Would it be fine to locate the System Dataset on an Enterprise SSD or should SSDs be avoided in all cases?
Thanks a lot,
Thomas