Datasets: Minimum size and encryption.

[Enforcer83]

BLUF: How do I specify a minimum size for a dataset? How can I make a dataset decryptable by only one person?

Background:
I am looking to migrate my linux based file/media server over to TrueNAS. I experimented with TrueNAS in a VM and was able to get it to work but one thing I was unable to figure out was how I can set a minimum dataset size that can scale as needed.

Additionally, I have a need to configure a dataset so it can ideally only be accessed and decrypted by one person. I intend for this dataset to be used by my wife who is a therapist and deals with client data. I suspect this use case (encryption) is going to require much more involvement, e.g. Active directory service, to implement and if so I will find a different option. I am not a network admin nor do I have any formal training so anything I do would have to be from a home user perspective and understanding.

 

[Davvo]

You don't need AD to encrypt a dataset. What do you mean by minimum size?
Regarding encyption, start reading from here; regarding datasets, from here. And you likely want to read about pools as well, so start here.
I suggest you reading the following resource too.

Introduction to ZFS

This is a short introduction to ZFS. It is really only intended to convey the bare minimum knowledge needed to start diving into ZFS and is in no way meant to cut Michael W. Lucas' and Allan Jude's book income. It is a bit of a spiritual...

www.truenas.com

 

[winnielinnie]

How do I specify a minimum size for a dataset?

Something like "Reserved space"? This can be set during dataset creation, or later if you decide to edit the dataset's options.

I have a need to configure a dataset so it can ideally only be accessed and decrypted by one person. I intend for this dataset to be used by my wife who is a therapist and deals with client data.

If by "one person" you mean you and your wife? It's just a matter of enabling encryption when you create the dataset, and set a passphrase that is only known to the two of you.

If you mean "one person" in the literal sense, as in only your wife, then things can get awkward. Sure, you can have her manually enter the passphrase while you close your eyes. But as the admin, you can gain access to the "encrypted" dataset's contents simply by browsing it as the root user or any user account in which you grant yourself access. After all, in order for her to access the dataset, it needs to remain in an unlocked state.

To make things even more awkward, you can set a different passphrase while the dataset is in an unlocked state, effectively denying your wife access to the contents when the dataset becomes locked, and she is unable to unlock it.

So honestly, the way ZFS encryption works it's not feasible for only your wife to have exclusive access and control of an encrypted dataset if you administer the server.

 

[WI_Hedgehog]

A ZFS reservation is an allocation of disk space from the pool that is guaranteed to be available to a dataset.

Setting ZFS Quotas and Reservations - Oracle Solaris ZFS Administration Guide

This book is intended for anyone responsible for setting up and administering Oracle ZFS file systems. Topics are described for both SPARC and x86 based systems, where appropriate.

docs.oracle.com

A quick-start guide to OpenZFS native encryption:

A quick-start guide to OpenZFS native encryption

Learn the hows, whys, and whats of OpenZFS encryption with this short guide.

arstechnica.com

"Passphrase locked datasets are protected against use even in the local system until somebody unlocks them with the passphrase (at which point the content is open to all with access to the server, including replication... but replication is at block level, so the encryption method will ensure that the passphrase is required on the replica also)" - @sretalla

Lock an Encrypted Dataset

I have started to ZFS Snapshot Replicate an Encrypted Dataset to another Truenas core box. I unlocked the remote dataset. I can’t figure out how to lock it again. How do I do this ?

www.truenas.com