I'm evaluating TrueNAS SCALE and I'm already blown away! The UI looks so good, Linux, Docker containers... Setting up Portainer is easy too. Robust storage. Basically all I need in one package. Except maybe for my desire to encrypt the system at rest...
During pool creation I can check "Encryption" but this will store the keys "in the system database and can be exported at any time from the pool options". This way my data won't be protected if the whole NAS is stolen. So instead I tried to configure it with a passphrase, which I will remember and not store on the NAS. But I'm presented with this error: "[EINVAL] id: data contains the system dataset. Please move the system dataset to a different pool before changing key_format."
So I move the system dataset to the boot-pool via System Settings -> Misc -> System Dataset. Now I'm allowed to enable passphrase encryption on my data pool. But since the boot pool is unencrypted I'm worried what (sensitive) data it may contain. What is stored in the system dataset? Anything sensitive it may leak, like Docker container config?
So my question: What are my options to enable encryption for the whole system? Would it be possible to setup the boot-pool with LUKS full disk encryption? Possibly even remote unlock at boot with dracut-sshd. That way I can also store the encryption keys there for my data pool and wouldn't need to resort to passphrase encryption for those.
During pool creation I can check "Encryption" but this will store the keys "in the system database and can be exported at any time from the pool options". This way my data won't be protected if the whole NAS is stolen. So instead I tried to configure it with a passphrase, which I will remember and not store on the NAS. But I'm presented with this error: "[EINVAL] id: data contains the system dataset. Please move the system dataset to a different pool before changing key_format."
So I move the system dataset to the boot-pool via System Settings -> Misc -> System Dataset. Now I'm allowed to enable passphrase encryption on my data pool. But since the boot pool is unencrypted I'm worried what (sensitive) data it may contain. What is stored in the system dataset? Anything sensitive it may leak, like Docker container config?
So my question: What are my options to enable encryption for the whole system? Would it be possible to setup the boot-pool with LUKS full disk encryption? Possibly even remote unlock at boot with dracut-sshd. That way I can also store the encryption keys there for my data pool and wouldn't need to resort to passphrase encryption for those.