Encryption of root- and sub-dataset / And cannot find button for "Export Dataset Keys"

[TrueNasForever]

Hi,

I switched from core to scale and I don't understand something about the encryption, which consequently changes from Geli to ZFS.

I encrypted my root dataset and switched to passphrase. When I created it I was also prompted to download the key. The password is simple and is just to make sure the disks can't be moved.

Now there is a sub-dataset, which contains more confidential data and also got a much more difficult and secret password. But here I was not asked to save the key.

It is also not possible to export the key afterwards, because I cannot find the menu entry "Export Dataset Keys" - mentioned in numerous forum entries - in any dataset.

Now my question:

As far as my knowledge the passphrase is only used to encrypt the data-key. Is this now identical for root and sub dataset and only encrypted with two different passphrases? Or does each have its own data-key that is encrypted with the respective passphrase.

I hope the latter, otherwise I can not use the zfs encryption for my purpose. Just for this last case, where can I export the keys (or just the new key), since I am missing the button.

I didn't find anything on this specific topic, if there is already a forum post, please poke me with my nose on it

Thanks a lot!

 

[winnielinnie]

When I created it I was also prompted to download the key.

It is also not possible to export the key afterwards, because I cannot find the menu entry "Export Dataset Keys"

Upon creating a new pool and choosing to encrypt the top-level root dataset (remember, with native ZFS encryption, you don't encrypt pools; you encrypt datasets), it prompts you to download the "encryption key" because TrueNAS's GUI defaults to using a randomly generated keystring upon first-time use of encryption. (There are reasons for this.)

Once you switch to using a passphrase for this top-level root dataset (or any dataset, really), then the "keyfile" is no longer relevant. There's nothing to export; it's a matter of memorizing your passphrase. (However, you should still get in the habit of regularly exporting your dataset encryption keys for the entire pool. The reason for this is you can have a mix of passphrases and keyfiles within the same pool. Doing this export will save a .json file with the keystrings for the datasets that use them. The datasets that use a passphrase? They will not be included in this .json file that you exported. Again, because it's your responsibility to memorize your passphrases.)

As far as my knowledge the passphrase is only used to encrypt the data-key. Is this now identical for root and sub dataset and only encrypted with two different passphrases? Or does each have its own data-key that is encrypted with the respective passphrase.

I think you mean "master key". The master key is the actual key (256-bit wide by default) that is used to encrypt/decrypt your data. You have no control of choosing it, as it is randomly generated every time you create a new encrypted dataset. It's different for every dataset. When you change the passphrase or keystring, you're simply re-encrypting the same master key that uses the new passphrase/keystring, while essentially making the old passphrase/keystring useless. The true 256-bit master key itself never changes after it is generated for the first time in the background when you create a new encrypted dataset.

 

[TrueNasForever]

Upon creating a new pool and choosing to encrypt the top-level root dataset (remember, with native ZFS encryption, you don't encrypt pools; you encrypt datasets), it prompts you to download the "encryption key" because TrueNAS's GUI defaults to using a randomly generated keystring upon first-time use of encryption. (There are reasons for this.)

Once you switch to using a passphrase for this top-level root dataset (or any dataset, really), then the "keyfile" is no longer relevant. There's nothing to export; it's a matter of memorizing your passphrase. (However, you should still get in the habit of regularly exporting your dataset encryption keys for the entire pool. The reason for this is you can have a mix of passphrases and keyfiles within the same pool. Doing this export will save a .json file with the keystrings for the datasets that use them. The datasets that use a passphrase? They will not be included in this .json file that you exported. Again, because it's your responsibility to memorize your passphrases.)




I think you mean "master key". The master key is the actual key (256-bit wide by default) that is used to encrypt/decrypt your data. You have no control of choosing it, as it is randomly generated every time you create a new encrypted dataset. It's different for every dataset. When you change the passphrase or keystring, you're simply re-encrypting the same master key that uses the new passphrase/keystring, while essentially making the old passphrase/keystring useless. The true 256-bit master key itself never changes after it is generated for the first time in the background when you create a new encrypted dataset.

Thank you for the detailed answer and the correction of my half-knowledge . I have never received an answer so quickly in a forum exactly to the point. Now I can continue with peace of mind .

 

[winnielinnie]

Just a few additional points:

The documentation and tooltips for TrueNAS Core (which introduced native ZFS encryption) get some things "wrong" or improperly explains them "vaguely", some of which haven't been corrected yet. (Some explanations in the documentation and tooltips were corrected after some bug reports.)

• Pools are not encrypted (only datasets are)
• The keyfiles are not stored on the System Dataset; they are stored on the boot-pool (which is how TrueNAS is able to auto-unlock keyfile-protected datasets at bootup, including the System Dataset if it is also encrypted)
• The inability to "lock" a dataset that is protected with a keyfile is not a ZFS limitation. This is a TrueNAS design. Someone can lock/unlock and mount/unmount any encrypted dataset (even keyfile-protected) in a ZFS pool in pure FreeBSD or Linux system. Technically, TrueNAS could allow us to lock/unlock a keyfile-protected dataset on-demand, but I doubt they'll ever implement this, since users might accidentally try to lock their System Dataset which can break a live system.
• Encryption, master key, user key, passphrase, keyfile, keystring, etc, are all distinct terms with very specific meanings and purposes; however, these terms often get conflated with each other which causes more confusion for new users.

 

[MisterE2002]

So, i thought i did understand the inner workings. But then i read:

All pool-level encryption is key-based encryption. You cannot use passphrase encryption at the pool/root level.

For me this implies that when i create a pool with encryption i need to save the initial key. But AFAIK i changed the root to passphrase encryption. Had to move the System dataset to the boot-pool to make it work.

And also

All datasets created in an encrypted pool have encryption. You cannot create an unencrypted dataset in an encrypted pool.

Just created a unencrypted dataset which seems to work.

Do i misunderstand the wordings?
Is "encrypted pool" here the old GELI method?


Found this reaction of winnielinnie
The statement of the root-dataset seems wrong if i understand correctly. You can use passphrase encryption *but* your System Dataset needs to be migrated to the boot pool. The forum seems more clear than iX documentation.

 

[winnielinnie]

But then i read:

They keep using the incorrect terminology and go back-and-forth. Where's their editor/QA for their documentation? Just look at this random "gem" I found:

If you select the Encryption option on the it forces encryption for all datasets

Goodness, the documentation is confusing and contradicts itself, and it's simply not true:

Implementing Encryption​

Before creating a pool with encryption make sure you want to encrypt all datasets and data stored on the pool.

You cannot change a pool from an encrypted to a non-encrypted, you can only change the encryption type for the datasets in the encrypted pool.

If your system does not have enough disks to allow you to create a second storage pool, it is recommend you not use encryption at the pool level. If you want to mix encrypted and unencrypted datasets, do no implement encryption at the pool level.

All datasets created in an encrypted pool have encryption. You cannot create an unencrypted dataset in an encrypted pool.
All pool-level encryption is key-based encryption. You cannot use passphrase encryption at the pool/root level.

---

EDIT: Unless they are now imposing certain limitations in TrueNAS SCALE that I am unaware of?

SCALE users: Did they forcefully remove the ability to mix encrypted with non-encrypted datasets under the same pool, even with the root dataset using encryption?