Cron Job to Lock Encrypted Pool

[SwampThing]

I would like to know if it is possible to setup a cron job that will periodically lock an unlocked pool. Having the pool be locked once a week to protect the data I would think should be possible without rebooting the entire computer but I can't seem to find any information about how to do this.

 

[Samuel Tai]

Yes, it is possible, but you'll need to use API calls to do it.

1. First, collect the GUID of the pool you wish to lock via zpool get guid <name of your pool>.
2. Then your cron job will run midclt call pool.lock "<pool GUID>".

 

[SwampThing]

Yes, it is possible, but you'll need to use API calls to do it.

1. First, collect the GUID of the pool you wish to lock via zpool get guid <name of your pool>.
2. Then your cron job will run midclt call pool.lock "<pool GUID>".

Awesome! Thanks so much!

 

[SwampThing]

Yes, it is possible, but you'll need to use API calls to do it.

1. First, collect the GUID of the pool you wish to lock via zpool get guid <name of your pool>.
2. Then your cron job will run midclt call pool.lock "<pool GUID>".

Hmm attempted to use the command, and it doesn't seem to do anything. It responds with a number code (68 in this case) but nothing happens with regard to locking the drive.

 

[Samuel Tai]

How is your pool constructed? Are you using just a key to encrypt, or also a passphrase? Are you setting your child datasets to inherit their encryption settings?

 

[winnielinnie]

TrueNAS CORE 12.0-U4 here. Same result as @SwampThing

It simply spits out a number (looks like a process ID?), and nothing happens. Dataset remains unlocked.

I even tried midclt call pool.lock GUID_OF_DATASET where the dataset is its own encryptionroot.

 

[winnielinnie]

Okay, I figured it out. Here's the method that worked for me:

midclt call pool.dataset.lock poolname
or
midclt call pool.dataset.lock poolname/dataset/child

Some examples.

If your pool is tank and it is encrypted at the top-level root dataset:
midclt call pool.dataset.lock tank

If you encrypted a dataset separately, perhaps nested further down:
midclt call pool.dataset.lock tank/zdataroot/goldmine

 

[SwampThing]

How is your pool constructed? Are you using just a key to encrypt, or also a passphrase? Are you setting your child datasets to inherit their encryption settings?

Key and Passphrase, and yes the child datasets inherit their encryption settings from the parent.

 

[winnielinnie]

Did you try my method above using pool.dataset.lock instead of pool.lock, and using the actual dataset name (such as tank or tank/dataset/media) instead of GUID?

 

[SwampThing]

I just tried it, and got a similar result. File attached.

 

[winnielinnie]

Did you refresh the Storage > Pools screen to make sure it locked? Don't rely on it to update the display on its own, and don't rely on the console output. (For myself, there was about a 5-second delay after constantly refreshing the page to see it updated as "Locked".)

Is bank3 the name of the encryptionroot itself? Is it the top-level root dataset?

It's actually bank3, not pool/bank3?

What is the output of:
zfs list -o name,encryption,encryptionroot bank3

EDIT: Are you using the Legacy (GELI) encryption or the new ZFS encryption?

 

[SwampThing]

I believe it was the fact that It was still on Legacy encryption. I have backed up the drive, and am rebuilding it with the updated encryption and will go from there. Should be ready tomorrow and I will let you know how it goes.

 

[winnielinnie]

I believe it was the fact that It was still on Legacy encryption.

Well that explains everything.

Should be ready tomorrow and I will let you know how it goes.

There's a caveat, however. You won't be able to use the Cron Task to lock your top-level root dataset (same "name" as your pool) if your System Dateset lives on that pool. If you try to switch to a passphrase, it'll move the System Dataset back to the boot-pool I believe.

 

[SwampThing]

The system dataset is stored on another pool all together so that's not an issue.

Still no luck. I attempted

midclt call pool.dataset.lock bank3

as well ass

midclt call pool.dataset.lock bank3/bank3

Attached is the output you requested. Drives are now using latest ZFS Encryption. Both commands gave the same result. Process number output and no result.

 

[winnielinnie]

Is there actually a dataset bank3/bank3?

No matter how much time passed since you issued the command, the dataset remained locked?

Is there anything using the datasets? Currently opened shares?

 

[SwampThing]

Don't know if this helps but the structure in the GUI looks like this. I created the pool in the GUI, and it automatically added an encrypted dataset to it. Then I made child datasets below that for organizational purposes. It does have shares attached to it. I will attempt to stop the shares and use the lock command, but I can tell you that if I use the GUI menu to lock the share it does not have any issue locking it even with the shares running.

Edit: Also 40 mins later it still hadn't locked. Just tried it again with the shares to that pool stopped, and it did the same thing. I'll give it some time to see if it actually locks.

 

[SwampThing]

I can report that after shutting down the shares to that pool, and using the command recommended and giving it almost two hours it still hasn't locked so I'm gonna say no go on that.

 

[winnielinnie]

You're using a passphrase on bank3, correct?

EDIT: Nevermind, you wouldn't be able to lock it via the GUI if wasn't passphrase-protected.

 

[winnielinnie]

Check the Task Manager (icon in the upper-right corner of the GUI) shortly after you issue the command to see what error it yields. You will have to click on the entry that reads "pool.dataset.lock" under the "Method" column.