-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Dataset only encryption?
- Thread starter majerus
- Start date
- Joined
- Feb 2, 2018
- Messages
- 1,401
Hi Majerus,
There are many different ways of doing encryption... One is indeed to do it at the pool level using ZFS logical features. This can not be used for dataset because datasets are dynamic. They can be resized, increased, decreased, etc. Also, because ZFS is copy-on-write, doing such a kind of dataset-level encryption would not be easy, if even possible.
Still, you can encrypt using other features.
One option would be to create a dataset as a zvol and export it to another operating system like Linux. Linux will then be able to format it the way you wish, like an encrypted LVM. That would ensure everything in that dataset will be encrypted. It will just not be encrypted by ZFS or FreeNAS.
You can also create a share and mount it from another computer. On that one, you can use an encryption tool like Veracrypt to create a large file that will be mounted as a volume. That logical volume created by Veracrypt will also be encrypted.
So ZFS by itself will not encrypt a dataset, but there are options for you to do it or do something similar.
Always be careful with encryption and don't shoot yourself in the foot. Ensure you can do key recovery, backup and restore, etc, so encryption does not end up a tool that prevent you accessing your own data.
There are many different ways of doing encryption... One is indeed to do it at the pool level using ZFS logical features. This can not be used for dataset because datasets are dynamic. They can be resized, increased, decreased, etc. Also, because ZFS is copy-on-write, doing such a kind of dataset-level encryption would not be easy, if even possible.
Still, you can encrypt using other features.
One option would be to create a dataset as a zvol and export it to another operating system like Linux. Linux will then be able to format it the way you wish, like an encrypted LVM. That would ensure everything in that dataset will be encrypted. It will just not be encrypted by ZFS or FreeNAS.
You can also create a share and mount it from another computer. On that one, you can use an encryption tool like Veracrypt to create a large file that will be mounted as a volume. That logical volume created by Veracrypt will also be encrypted.
So ZFS by itself will not encrypt a dataset, but there are options for you to do it or do something similar.
Always be careful with encryption and don't shoot yourself in the foot. Ensure you can do key recovery, backup and restore, etc, so encryption does not end up a tool that prevent you accessing your own data.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Currently, FreeNAS (and, more broadly, ZFS on FreeBSD) does not support dataset-level encryption. ZFS on Linux does support this, and it's likely to be ported into FreeBSD in the relatively-near future (I wouldn't be surprised to see it in FreeNAS 12), but not yet. Though as @Heracles says, there are lots of other ways to skin this cat.
