Changing ZFS key encryption to passphrase

[Papid1975]

I created a pool with an encrypted root dataset. As TrueNAS can only create encrypted pools with keys, not passphrases, I would like to change the unlock mechnism of this pool/dataset after creation. How would I do that?

Same thing for any dataset I created using a generated key (or inheriting the key from the parent dataset). How can I change the key to a passphrase?

 

[sretalla]

I would like to change the unlock mechnism of this pool/dataset after creation. How would I do that?

Well, you can't exactly do that, but you can "fake" it.

Stop any sharing services, VMs and Jails that might be using data from the impacted datasets.

zfs rename pool/dataset/child /pool/dataset/childTemp

Create your pool/dataset/child again with the desired encryption.

copy your data from /mnt/pool/dataset/childTemp to /mnt/pool/dataset/child (use rsync with the -a switch or cp with -p to preserve permissions and other attributes)

Destroy the original
zfs destroy pool/dataset/childTemp

restart your shares, VMs and jails.

 

[irTwit]

Can't he just change the encryption type from key to passphrase under Storage > click the three does next to the dataset/pool > encryption options? The same goes for the child datasets, click "inherit encryption properties from parent".

 

[Papid1975]

Well, this is weird. I was expecting an option to select the encryption type, like a drop down. Was searching really hard exactly where you, irTwit, said. Couldn’t find it. I just checked again an…there it is.

Don’t remember which dataset I tried to change, maybe it was a special one…or the UI design just isn’t for me ;)

Anyways, thanks so much for your time

 

[Samuel Tai]

I've had the encryption type drop down disappear on me as well. What seems to bring it back is to export the pool and then reimport it. The drop down will appear if that's the first thing you access for the particular dataset/zvol.

 

[HarambeLives]

This is an old thread but I just wanted to comment, as this is the first result that comes up when you Google this topic

Yes, you can change to passphrase from the menu. I just did it, and it worked fine. Rebooted and it prompted for passphrase, all good.

 

[phier]

hello,
i created a pool with encryption but after creation i cant change keys to passphrase...

 

[neofusion]

hello,
i created a pool with encryption but after creation i cant change keys to passphrase...

View attachment 56702

Have you tried doing what the error message asks you to do to proceed?

 

[phier]

Have you tried doing what the error message asks you to do to proceed?

no,
i thought there is an option while creating new pool to even select passphrase or key... apparently its not there? question would be why ... bug?

 

[neofusion]

no,
i thought there is an option while creating new pool to even select passphrase or key... apparently its not there? question would be why ... bug?

Please explain, in detail, what you are trying to accomplish and what you have done so far.

 

[phier]

@neofusion i wanted to change encryption key of the pool to passphrase - its not possible.

I can destroy pool and re-create new one - but while create new pool and selecting Encryption there is no option for a passphrase only key is generated.

 

[neofusion]

@neofusion i wanted to change encryption key of the pool to passphrase - its not possible.

I can destroy pool and re-create new one - but while create new pool and selecting Encryption there is no option for a passphrase only key is generated.

The error message you posted literally tells you what needs to be done to solve the core problem (system dataset has to be moved first).
Destroying the current pool and making a new one is not it.

 

[phier]

Have you tried doing what the error message asks you to do to proceed?

apparently i do not understand that message ...
whats system dataset and how can i move dataset to other pool as there is only one pool.... ie storage.

(system dataset has to be moved first).

to be moved where? i dont get it.

edit2 so can i move system dataset to boot-pool?

6. System — FreeNAS®11.2-U6 User Guide Table of Contents

www.ixsystems.com

thanks

 

[neofusion]

apparently i do not understand that message ...
whats system dataset and how can i move dataset to other pool as there is only one pool.... ie storage.


to be moved where? i dont get it.

thanks

The system dataset cannot be on a pool that is encrypted with a passphrase. Since you want to change the encryption, the system is making sure that the system dataset is moved somewhere accessible first.

Here is the manual describing it, it also shows you where to find the setting in the Core menu: https://www.truenas.com/docs/core/uireference/system/systemdataset/

You should be able to move it to your boot-pool. Depending on the hardware you can keep it there. Not recommended if you're running it on something unsupported like on usb flash memory though.

 

[phier]

You should be able to move it to your boot-pool. Depending on the hardware you can keep it there. Not recommended if you're running it on something unsupported like on usb flash memory though.

yes saw that documentation,
so normally what is the best practise? To have separate ssd/nvme for a system pool?

thanks

 

[neofusion]

yes saw that documentation,
so normally what is the best practise? To have separate ssd/nvme for a system pool?

thanks

If you have a pool with SSD:s that's a good choice. USB flash media shouldn't be used for anything because they wear out much faster than the other options. The system dataset continually writes data to the chosen drive and will wear out drives with low write durability.

You don't need a pool for the system dataset to live on alone though.
Even if you can't place the system dataset on a pool that is encrypted with a passphrase, you can choose to not inherit the pool's encryption when making other datasets. By doing so you can choose a different type of encryption for them if you so wish. There are other posts in this forum that go into detail on that.

 

[phier]

You don't need a pool for the system dataset to live on alone though.

well maybe its better idea to store it on boot-pool (which is nvme)
and make it separate from the pool of 3.5" z1 , correct?

 

[phier]

well i moved system dataset to boot-pool which sits on the nvme drive.
on top of the 3.5' drives i created z1 pool and set encryption as following

not sure whats setup its better... like that that pool is encrypted with passphase and dataset storage inherited it...

or to create
main pool encrypted with the key
and inside create dataset storage without inherited encryption with key - and set encryption on it via passphase...

thx

 

[neofusion]

well maybe its better idea to store it on boot-pool (which is nvme)
and make it separate from the pool of 3.5" z1 , correct?

Given those options, yes, that is how I would do it as well. Don't forget to keep a backup of it, the boot-pool is easy to miss since it is hidden in many of the storage menus.

well i moved system dataset to boot-pool which sits on the nvme drive.
on top of the 3.5' drives i created z1 pool and set encryption as following
View attachment 56726

not sure whats setup its better... like that that pool is encrypted with passphase and dataset storage inherited it...

or to create
main pool encrypted with the key
and inside create dataset storage without inherited encryption with key - and set encryption on it via passphase...

thx

The second option is more flexible since it lets you choose if any single dataset should use no, passphrase or key-based encryption.

Encrypting the entire pool with a passphrase is more secure, but also less flexible because it means that you cannot access anything at all on the pool without manually unlocking it after a reboot. Sometimes that security is desirable, sometimes it is more of a chore; it depends on your usage and perceived threat.

 

[phier]

oh i see, appreciate your reply.

Maybe one more question...
in case i passphrase protect main pool, and then create dataset inside of it with no encryption .. whats the point of such a setup?

Until you Unlock main pool, u still wont be able to use any dataset (wether encrypted / or not) inside of it?

thanks