Can I remove encryption?

[Octopuss]

I was an idiot when I installed the NAS and now I have to enter a password to unlock the pool everytime I reboot the server, which is annoying.
Can the encryption be removed, or do I need to reinstall the whole TrueNAS?

 

[sretalla]

You can make new unencrypted datasets, then rsync your content over, delete the originals and rename the new ones.

 

[Octopuss]

That assumes I have spare disks I guess, which I don't. So I need to backup the data and recreate the pool and redo all the permissions then?

 

[sretalla]

That assumes I have spare disks I guess, which I don't.

No. You can do it all inside the pool you have already, assuming you have at least some free space... you may need to do one dataset at a time if you have issues with limited space, taking care to delete snapshots as you go deleting along the way.

 

[Octopuss]

Oh. Can I do all this from the GUI?
I have 33% free space in the pool. Is that enough?

 

[Octopuss]

Now that I'm looking at the storage window, it seems like there's no way to remove encryption from the pool itself, is it? Or does it automatically go away when I redo all the datasets within?

 

[sretalla]

Oh. Can I do all this from the GUI?

Not really... if you wanted to, you could use tmux in the shell to do the rsync jobs.

I have 33% free space in the pool. Is that enough?

I don't know... how much space is in encrypted datasets? how many of them are there and are they all the same size?

How big is your pool?

How have you done the passthrough to the VM (are you doing PCI passthrough for the whole LSI card?)?

 

[sretalla]

it seems like there's no way to remove encryption from the pool itself, is it? Or does it automatically go away when I redo all the datasets within?

If you're talking about encryption of the pool root dataset (which was... and can only be... done at the time of pool creation, then yes, you're stuck with it.

You can change it to not be passphrase type, so it stores the key on your boot pool and auto-unlocks on boot though.

 

[Octopuss]

Ok, I better start backing up the data, lol. This looks way more complicated than I thought.

 

[Octopuss]

If you're talking about encryption of the pool root dataset (which was... and can only be... done at the time of pool creation, then yes, you're stuck with it.

You can change it to not be passphrase type, so it stores the key on your boot pool and auto-unlocks on boot though.

Ah ok.
That makes the encryption pretty much useless though, doesn't it?

Anyway, I think I will just write down all the permissions and parameters of the pool/datasets I have, and then just recreate them when I reinstall TrueNAS (I'll be moving away from ESXi so I need to redo everything anyway).

 

[sretalla]

That makes the encryption pretty much useless though, doesn't it?

No.

There are IMHO questionable benefits to encryption in general on TrueNAS (or any system where you want to be able to start it without needing to enter passwords all over the place).

If your intention is to prevent somebody who has physical access to the server from getting at its contents, that means you too. (and you see already how much that sucks/blows, depending on your viewpoint).

If you want to be able to confidently dispose of a disk (or have it stolen without the rest of the server somehow) which was used in your pool that housed all your important (secret) data in an encrypted dataset, then there is indeed a purpose to key-based encryption, since it will prevent any chance of the person with that disk seeing any of your private data.

If you trust the physical security of your server enough and dispose of all your disks by destruction or military wipe, then there's no real point to encryption at a pool or dataset level.

 

[Octopuss]

Yup, I think there's no point in encryption in the case of home media/backup server.

The only pain will be writing down all the configuration stuff. The TrueNAS itself's settings I can export, but the pool/datasets permissions suck to do.

 

[sretalla]

So if it makes more-or-less no difference, why not just turn it to key encryption then? (skipping all the messing around).

 

[Octopuss]

Hmm, I guess I could do that, but again, can I do this in the GUI? I vaguely rememeber I might had it set up like that in past, and had to provide the key upon every reboot manually anyway. Or I think so.

 

[sretalla]

can I do this in the GUI?

You can switch encryption from Passphrase to key (and back again) in the GUI under Encryption options...

It's more-or-less described (although not very clearly) in this section of the documentation:

Storage Encryption

Describes how to encrypt a storage pool in TrueNAS CORE.

www.truenas.com

You can use the "Encryption Actions" option from the 3 dots to get to the right screen, then change the drop-down from Passphrase to Key... and then generate a key and make sure you keep it somewhere in case you lose your boot pool)

 

[rvassar]

No.

There are IMHO questionable benefits to encryption in general on TrueNAS (or any system where you want to be able to start it without needing to enter passwords all over the place).

If your intention is to prevent somebody who has physical access to the server from getting at its contents, that means you too. (and you see already how much that sucks/blows, depending on your viewpoint).

If you want to be able to confidently dispose of a disk (or have it stolen without the rest of the server somehow) which was used in your pool that housed all your important (secret) data in an encrypted dataset, then there is indeed a purpose to key-based encryption, since it will prevent any chance of the person with that disk seeing any of your private data.

If you trust the physical security of your server enough and dispose of all your disks by destruction or military wipe, then there's no real point to encryption at a pool or dataset level.

Enterprise system use remote key management for this stuff. SED drives with the LOM board querying another server in a secure location for the keys before the OS can even boot. Tedious to configure, and if you have to ask how much the remote server software & support costs, you can't afford it. Amusingly, it's actually not too different than an ACME SSL Cert server & client, but there's a secure key repo, and of course vendor lock in.

 

[Octopuss]

You can switch encryption from Passphrase to key (and back again) in the GUI under Encryption options...

It's more-or-less described (although not very clearly) in this section of the documentation:

Storage Encryption

Describes how to encrypt a storage pool in TrueNAS CORE.

www.truenas.com

You can use the "Encryption Actions" option from the 3 dots to get to the right screen, then change the drop-down from Passphrase to Key... and then generate a key and make sure you keep it somewhere in case you lose your boot pool)

That doesn't answer the question I'm afraid. How will the pool unlock automatically?

 

[sretalla]

That doesn't answer the question I'm afraid. How will the pool unlock automatically?

Yes it does.

When you unlock the pool (dataset) once, it remains unlocked (storing the key in the boot pool/config) even after reboot.

 

[Octopuss]

Oh! Ok!

 

[sretalla]

Enterprise system use remote key management for this stuff.

So does TrueNAS... if you pay for it...

Configuring KMIP

Describes how to configure KMIP on TrueNAS SCALE Enterprise.

www.truenas.com

Configuring KMIP

Describes how to configure KMIP on TrueNAS CORE Enterprise.

www.truenas.com