SOLVED Can TrueNAS SCALE import a Linux OpenZFS Encrypted Zpool?

[linuxkidd]

Hi all,
I'm interested in migrating my primary server from Proxmox to TrueNAS SCALE. When I setup my zpool on my Proxmox server, I did so with the following syntax:

Code:

zpoolopts='-o ashift=12 -O encryption=on -O keyformat=passphrase -O keylocation=file:///root/passphrase -O atime=off -O compression=lz4'
zpool create ${zpoolopts} tank raidz

My intent was that all of my disks have at-rest encryption, so if a disk failure / swap is necessary, I don't need to be concerned about the disks contents being readable ( even if it's only small chunks of larger files ).

Note: Individual `zfs create` commands -do not- have the `-O encryption=on` flag, this is only set at the top zpool.

My question... can I import this into TrueNAS SCALE?

Answers I've already found:
- Can't import from FreeNAS / TrueNAS core
- no planned support for GELI encryption

I hope the answer is different since it's from an existing Linux OpenZFS pool using currently supported encryption processes.

Thanks,
lk

 

[linuxkidd]

Adding my zpool status output in case the configuration makes any difference:

Code:

config: 

        NAME                                           STATE     READ WRITE CKSUM
        tank                                           ONLINE       0     0     0
          raidz1-0                                     ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25RQH4          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25SYBH          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25SZTB          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25R9QC          ONLINE       0     0     0
          raidz1-1                                     ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2NQD1C          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25TS0S          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25RD0Q          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25WBK8          ONLINE       0     0     0
          raidz1-2                                     ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25SXK1          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25TRSC          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25RD76          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL25RBT0          ONLINE       0     0     0
          raidz1-6                                     ONLINE       0     0     0
            ata-ST16000NM000J-2TW103_ZR70DMZH          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2NZG8M          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3M2A          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3M3D          ONLINE       0     0     0
          raidz1-7                                     ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3M86          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3MBL          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3MH9          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3MHG          ONLINE       0     0     0
          raidz1-8                                     ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3MKA          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3MVQ          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3N1B          ONLINE       0     0     0
            ata-ST16000NM001G-2KK103_ZL2P3P2P          ONLINE       0     0     0
        logs
          nvme-ADATA_SX8200PNP_2K22292BH111-part128    ONLINE       0     0     0
        cache
          ata-Samsung_SSD_860_EVO_2TB_S3YUNB0K802975P  ONLINE       0     0     0
          ata-Samsung_SSD_860_EVO_2TB_S3YUNB0K803422R  ONLINE       0     0     0

Thanks,
LK

 

[linuxkidd]

I case anyone else has this same question, and comes across this post...

- yes, TrueNAS can import an encrypted zpool.

To confirm this, I:
- Created a TrueNAS SCALE vm in my proxmox instance
- Jumped into the linux shell and deployed a zpool with the same options above, single, 4 disk raidz
+ Including the encryption
- Then rebooted the TrueNAS SCALE vm, and used the 'Import' function
- TrueNAS SCALE recognized it was encrypted and prompted if I wanted to unlock it
- Then prompted me for the password
- Deployed a Plex app instance
- Rebooted TrueNAS SCALE
- When the boot completed, the storage was still present, but locked
- I clicked the 3 dot menu for the storage, clicked 'Unlock', and entered my password
- Checked the 'Apps' and found that Plex was re-deploying

So, aside from possibly saving the password for the encrypted zpool, it all works exactly as I hoped.

I'm still exploring to see if there's a possibility of saving the decryption password, but not finding anything so far.

Thanks!
LK

 

[sretalla]

I'm still exploring to see if there's a possibility of saving the decryption password, but not finding anything so far.

Not sure if it can be done for the pool-level encryption option, but for datasets, you can click the 3 dots to the right and select Encryption options and change the Encryption type from Passphrase to Key.

This will then allow the pool to be automatically unlocked on startup.

 

[linuxkidd]

... click the 3 dots to the right and select Encryption options and change the Encryption type from Passphrase to Key.
This will then allow the pool to be automatically unlocked on startup.

Woot.. I can confirm this works for encrypted zpool as well! Anyone who does this -- make sure you back up the encryption key!!! You can export it from the 3 dot menu as well. :)

Thanks @sretalla !