Encryption and replication TrueNAS core 12

W

wavesswe

Dabbler
Joined
Dec 2, 2020
Messages
21
Hi!

I have a TrueNAS system with legacy encryption doing replication task to a TrueNAS system with new type encryption pool. But I think that the data is unencrypted. I have a lock with prohibit sign icon next to the dataset.

if this indicates unencryption.

how do I solve this in the best way? I want to secure the data and not risk locking my self out.
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
wavesswe said:
if this indicates unencryption.
Click to expand...
That icon means the dataset is not encrypted, even though it is nested underneath an encrypted dataset.

You would have to make use of the "-x encryption" flag on the recv side of the replication, so that the newly created (and incrementally updated) dataset uses the encryption properties from its parent on the destination.

Similar problem seen here: https://www.truenas.com/community/threads/help-moving-pool-to-new-disks.89555/

And here: https://www.truenas.com/community/t...-drive-encryption-migration.89337/post-618435
 
W

wavesswe

Dabbler
Joined
Dec 2, 2020
Messages
21
Ok, is this an option from the GUI or CMD only? And will it be the same if i would recreate the pool from main server with the new encryption?

and also will it work if i encrypt the datasets with the replications on the backup and then transfer them back to main truenas with a newley created pool?
 
Last edited:
Samuel Tai

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,399
winnielinnie said:
That icon means the dataset is not encrypted, even though it is nested underneath an encrypted dataset.
Click to expand...

@winnielinnie, I don’t think that’s correct. For my encrypted datasets, the lack of a lock icon on a daughter dataset underneath an encrypted dataset with a lock just means the daughter is inheriting the parent’s encryption settings.
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
wavesswe said:
I have a lock with prohibit sign icon next to the dataset.
Click to expand...

winnielinnie said:
That icon means the dataset is not encrypted, even though it is nested underneath an encrypted dataset.
Click to expand...

Samuel Tai said:
@winnielinnie, I don’t think that’s correct. For my encrypted datasets, the lack of a lock icon on a daughter dataset underneath an encrypted dataset with a lock just means the daughter is inheriting the parent’s encryption settings.
Click to expand...

@Samuel Tai, I believe you might have misread our posts. Without posting actual icon image files (of which I attempted to do), it's not as clear. I was referring to the padlock icon with the "X" (aka "prohibit) sign.


I'll try to clarify again, and if anyone knows how to insert official TrueNAS GUI icons/elements in this forum, let me know! :cool:

UPDATE: I went ahead and uploaded some icons I cropped out of the GUI, to better illustrate what I was referring to:
  • encryptionroot.png
    Padlock icon     = encrypted dataset (parent / "encryptionroot" of children who inherit this dataset's encryption properties)
  • no-encryption.png
    Padlock icon with an X     = non-encrypted dataset, that is nested underneath an encrypted dataset or child
  • inherited-encryption.png
    Lack of icon     = dataset is inheriting its encryption properties from the parent / "encryptionroot"
 
Last edited:
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
wavesswe said:
Ok, is this an option from the GUI or CMD only?
Click to expand...

In the Replication Tasks, there is an option for "Encryption" that I believe is what you are looking for?


wavesswe said:
And will it be the same if i would recreate the pool from main server with the new encryption?

and also will it work if i encrypt the datasets with the replications on the backup and then transfer them back to main truenas with a newley created pool?
Click to expand...
Both are possible sending as a raw encrypted stream. In the command line, you would use the -R and -w flags. However, for the GUI, I believe the same is accomplished with the "Full Filesystem Replication" option, which preserves the dataset's properties, and includes all previous snapshots.
 
Samuel Tai

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,399
W

wavesswe

Dabbler
Joined
Dec 2, 2020
Messages
21
I now tried and it’s WIP as I write this with a small dataset and it seams that it’s working. I picked hex as encryption and from what I understand this is now stored in the backup server. How ever I needed to create a new data set on the remote location. Is this the only way or can I encrypt the already moved data? It’s a lot to re-move
 
You must log in or register to reply here.

Similar threads

D
TrueNAS encryption and replication
Replies
5
Views
5K
winnielinnie
winnielinnie
HolyK
No padlock for Dataset with inherited encryption
Replies
4
Views
885
winnielinnie
winnielinnie
Z
Replication Task to new NAS/Server without Sub-Datasets being encrypted
Replies
2
Views
917
Zyrox
Z
R
Process of encrypting pool by replicating data?
Replies
7
Views
2K
runevn
R
I
Encryption and replication
Replies
13
Views
994
infinitytec
I
Top