Docker stopped working when pool gets encrypted

[Linge]

Hi, I have Truenas Scale running with a stand alone docker (I edited the daemon.json so I am not using the default kubernetes apps) that worked flawlessly without encryption. But Then I decided to turn on encryption with a passphrase, and after system reboot it stopped working. If I unlock the dataset I can start docker again, but I think it is better to leave it locked.
What is the issue, and is it solvable? Thanks

 

[neofusion]

I'm not sure I follow.
Docker doesn't have any backdoors into a locked dataset, so when you leave it locked, docker cannot access the encrypted data.

By choosing encryption with passphrase (as opposed to key) you have chosen a level of security that keeps your data safe unless you manually unlock the datasets post boot, the system is unable to do so itself.
Key-based encryption is more convenient since it automatically unlocks at boot but it would only keep the data safe while at rest.

 

[Linge]

Thanks, I understand.
The problem with key based encryption is that the data on the server can be accessed by anyone who might break into my house if the pool hasn't been disconnected. Isn't there a way to allow docker to work with an encrypted pool. I tried to change the system dataset pool from boot-pool to tank but since my tank pool is encrypted it doesn't show up in the list.

 

[neofusion]

Docker works with an encrypted dataset, if it is unlocked.

Is your fear that intruders will access your system while it's running?
If yes, I suppose you're facing a dilemma; what you value more, access to the dataset or keeping it safe from competent intruders? Maybe access to the server while on-site can be hampered hiring a security consultant to cook up a solution that breaks server power (or gracefully shuts it down) if entry is forced?
If not, just enter the passphrase after system reboot and Docker will be fine. Anyone physically stealing your server will likely break power and have a tough time reading your data after booting it back up again.

 

[Linge]

Ok, I suppose my home is safe enough but I can't know for suhre for my friends house where I have my backup server. Is it possible to have a key encryption on my main server and to replicate it on the backup server beeing encrypted with a passphrase for extrasecurity. In other terms how does the encryption option in the replication task settings works with key or passphrase encryption dataset?

 

[neofusion]

Ok, I suppose my home is safe enough but I can't know for suhre for my friends house where I have my backup server. Is it possible to have a key encryption on my main server and to replicate it on the backup server beeing encrypted with a passphrase for extrasecurity. In other terms how does the encryption option in the replication task settings works with key or passphrase encryption dataset?

I know you can replicate to a backup server while keeping everything encrypted in the destination.
It's possible to do so in a way that the backup server never gets the key to unlock the dataset.
Sadly, since I have no friends to set something like this up at, I have yet to fully learn how to do it.

 

[Linge]

Ok I passed my two servers with key encryption and undertook a replication. I can now see my data on the backup server encrypted with the key from the main server, but I unlocked it to check and it seems there is no easy way to lock it back up. Any idea ?

 

[sretalla]

zfs unload-key <pool/dataset>

 

[Linge]

Thanks, but it says "key unload error dataset busy". It's strange as I don't have anything accessing the data except my sftp client, and maybe the replication task.

 

[neofusion]

Ok I passed my two servers with key encryption and undertook a replication. I can now see my data on the backup server encrypted with the key from the main server, but I unlocked it to check and it seems there is no easy way to lock it back up. Any idea ?

It sounds like you have one or two things to halt then. :)

At the very least the sftp client.
I am not sure how a replication task that expects encrypted data in the destination will handle a situation where you unlocked it. Perhaps it's nothing to worry about.

 

[Linge]

Nope, disabling the SFTP didn't change anything. Is there a command to see what is running on truenas core? In services I already disabled everything except SSH.

 

[neofusion]

My experience when unmounting things have typically been that if you are traversing the folders in the dataset you are trying to unmount, the device will be marked as busy and prevent you from doing so.
In other words, if your ssh client, or sftp, or whatever, is currently browsing a directory on the dataset you want to make unavailable by locking, the unlock may well fail.

This is of course assuming it behaves like unmounting. I have no specific experience with relocking a dataset.
If it's not that, I'm out of ideas.