I read the the user guide as well as the recommended thread on encryption [1,2] and I want to confirm that my understanding is correct:
The AES-key used by GELI to encrypt the disk is itself encrypted. The key used to encrypt the AES-key is a combination of a key file and a user provided pass-phrase. The key-file is stored in the fourth partition of the USB stick that FreeNAS is running out of.
The user pass-phrase, which will be used in conjunction with the key-file, to encrypt the AES-key is optional. If the pass-phrase is set then it has to be provided on reboot to unlock the pool when the machine is rebooted.
I shutdown my home FreeNAS every night and boot up in the morning - saves power and I dont have to scramble at night when there is a power outage. So I would prefer not to set a pass-phrase.
I understand that this means if someone were to get physical access to my machine or to my disks AND USB stick the data can be decrypted.
So for changing drives or recovering from a bad upgrade etc is it enough if I download the AES-key (using the download key option in the GUI volume manager section) and keep it safe (external to the NAS machine) ?
[1] https://forums.freenas.org/index.php?threads/recover-encryption-key.16593/
[2] https://forums.freenas.org/index.ph...ks-from-single-freenas-primary-storage.17316/
The AES-key used by GELI to encrypt the disk is itself encrypted. The key used to encrypt the AES-key is a combination of a key file and a user provided pass-phrase. The key-file is stored in the fourth partition of the USB stick that FreeNAS is running out of.
The user pass-phrase, which will be used in conjunction with the key-file, to encrypt the AES-key is optional. If the pass-phrase is set then it has to be provided on reboot to unlock the pool when the machine is rebooted.
I shutdown my home FreeNAS every night and boot up in the morning - saves power and I dont have to scramble at night when there is a power outage. So I would prefer not to set a pass-phrase.
I understand that this means if someone were to get physical access to my machine or to my disks AND USB stick the data can be decrypted.
So for changing drives or recovering from a bad upgrade etc is it enough if I download the AES-key (using the download key option in the GUI volume manager section) and keep it safe (external to the NAS machine) ?
[1] https://forums.freenas.org/index.php?threads/recover-encryption-key.16593/
[2] https://forums.freenas.org/index.ph...ks-from-single-freenas-primary-storage.17316/
