Can I remove encryption?

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
I was an idiot when I installed the NAS and now I have to enter a password to unlock the pool everytime I reboot the server, which is annoying.
Can the encryption be removed, or do I need to reinstall the whole TrueNAS?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
You can make new unencrypted datasets, then rsync your content over, delete the originals and rename the new ones.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
That assumes I have spare disks I guess, which I don't. So I need to backup the data and recreate the pool and redo all the permissions then?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
That assumes I have spare disks I guess, which I don't.
No. You can do it all inside the pool you have already, assuming you have at least some free space... you may need to do one dataset at a time if you have issues with limited space, taking care to delete snapshots as you go deleting along the way.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
Oh. Can I do all this from the GUI?
I have 33% free space in the pool. Is that enough?
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
Now that I'm looking at the storage window, it seems like there's no way to remove encryption from the pool itself, is it? Or does it automatically go away when I redo all the datasets within?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
Oh. Can I do all this from the GUI?
Not really... if you wanted to, you could use tmux in the shell to do the rsync jobs.

I have 33% free space in the pool. Is that enough?
I don't know... how much space is in encrypted datasets? how many of them are there and are they all the same size?

How big is your pool?

How have you done the passthrough to the VM (are you doing PCI passthrough for the whole LSI card?)?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
it seems like there's no way to remove encryption from the pool itself, is it? Or does it automatically go away when I redo all the datasets within?
If you're talking about encryption of the pool root dataset (which was... and can only be... done at the time of pool creation, then yes, you're stuck with it.

You can change it to not be passphrase type, so it stores the key on your boot pool and auto-unlocks on boot though.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
Ok, I better start backing up the data, lol. This looks way more complicated than I thought.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
If you're talking about encryption of the pool root dataset (which was... and can only be... done at the time of pool creation, then yes, you're stuck with it.

You can change it to not be passphrase type, so it stores the key on your boot pool and auto-unlocks on boot though.
Ah ok.
That makes the encryption pretty much useless though, doesn't it?

Anyway, I think I will just write down all the permissions and parameters of the pool/datasets I have, and then just recreate them when I reinstall TrueNAS (I'll be moving away from ESXi so I need to redo everything anyway).
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
That makes the encryption pretty much useless though, doesn't it?
No.

There are IMHO questionable benefits to encryption in general on TrueNAS (or any system where you want to be able to start it without needing to enter passwords all over the place).

If your intention is to prevent somebody who has physical access to the server from getting at its contents, that means you too. (and you see already how much that sucks/blows, depending on your viewpoint).

If you want to be able to confidently dispose of a disk (or have it stolen without the rest of the server somehow) which was used in your pool that housed all your important (secret) data in an encrypted dataset, then there is indeed a purpose to key-based encryption, since it will prevent any chance of the person with that disk seeing any of your private data.

If you trust the physical security of your server enough and dispose of all your disks by destruction or military wipe, then there's no real point to encryption at a pool or dataset level.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
Yup, I think there's no point in encryption in the case of home media/backup server.

The only pain will be writing down all the configuration stuff. The TrueNAS itself's settings I can export, but the pool/datasets permissions suck to do.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
So if it makes more-or-less no difference, why not just turn it to key encryption then? (skipping all the messing around).
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
Hmm, I guess I could do that, but again, can I do this in the GUI? I vaguely rememeber I might had it set up like that in past, and had to provide the key upon every reboot manually anyway. Or I think so.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
can I do this in the GUI?
You can switch encryption from Passphrase to key (and back again) in the GUI under Encryption options...

It's more-or-less described (although not very clearly) in this section of the documentation:

You can use the "Encryption Actions" option from the 3 dots to get to the right screen, then change the drop-down from Passphrase to Key... and then generate a key and make sure you keep it somewhere in case you lose your boot pool)
 

rvassar

Guru
Joined
May 2, 2018
Messages
972
No.

There are IMHO questionable benefits to encryption in general on TrueNAS (or any system where you want to be able to start it without needing to enter passwords all over the place).

If your intention is to prevent somebody who has physical access to the server from getting at its contents, that means you too. (and you see already how much that sucks/blows, depending on your viewpoint).

If you want to be able to confidently dispose of a disk (or have it stolen without the rest of the server somehow) which was used in your pool that housed all your important (secret) data in an encrypted dataset, then there is indeed a purpose to key-based encryption, since it will prevent any chance of the person with that disk seeing any of your private data.

If you trust the physical security of your server enough and dispose of all your disks by destruction or military wipe, then there's no real point to encryption at a pool or dataset level.

Enterprise system use remote key management for this stuff. SED drives with the LOM board querying another server in a secure location for the keys before the OS can even boot. Tedious to configure, and if you have to ask how much the remote server software & support costs, you can't afford it. Amusingly, it's actually not too different than an ACME SSL Cert server & client, but there's a secure key repo, and of course vendor lock in.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
You can switch encryption from Passphrase to key (and back again) in the GUI under Encryption options...

It's more-or-less described (although not very clearly) in this section of the documentation:

You can use the "Encryption Actions" option from the 3 dots to get to the right screen, then change the drop-down from Passphrase to Key... and then generate a key and make sure you keep it somewhere in case you lose your boot pool)
That doesn't answer the question I'm afraid. How will the pool unlock automatically?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
That doesn't answer the question I'm afraid. How will the pool unlock automatically?
Yes it does.

When you unlock the pool (dataset) once, it remains unlocked (storing the key in the boot pool/config) even after reboot.
 

Octopuss

Patron
Joined
Jan 4, 2019
Messages
461
Oh! Ok!
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,703
Enterprise system use remote key management for this stuff.
So does TrueNAS... if you pay for it...


 
Top