How to access TrueNAS encrypted datasets backup up with rsync to SMB share Windows 10

[Alfnie]

I have been searching the forum and google about this a lot, but I can't find out how to solve my issue. And maybe I should not do it like this, then I am curious what the proper way is to do my backup job.

In TrueNAS I setup a RSYNC Task to a remote destination (USB-HDD connected to my Windows 10 PC), this works. The Task succeeds, and I can see the folders on my USB-HDD through windows.

However, one dataset from the TrueNAS I have encrypted with passphrase, and this Folder on the USB-HDD says I don't have access to it.
So, how can I access the contents of the encrypted folder via Windows 10 PC? I am not prompted any user login, nor any passphrase to decrypt the folder.
I have tried setting the user in de RSYNC-task to both 'root' as '*myuser*', no result.

I would like to have the folderstructure and files visible on my Backup USB-HDD, so that is why I would prefer RSYNC to do this. After the backup is complete, I disconnect my USB-HDD and store it somewhere safe.

Thanks for help in advance!

Version: TrueNAS-13.0-U5.3 (Core)
Mainboard: Gigabyte B360M D3H
CPU: Intel(R) Pentium(R) Gold G5400T
RAM: 8GB

 

[Alfnie]

kindly bump

 

[winnielinnie]

kindly bump

You have violated Ordinance 1263, section 4.02 P3: Bumping your own thread before ten business days have passed. Stay where you are. Do not move. You have the right to an attorney.

one dataset from the TrueNAS I have encrypted with passphrase

Is it "locked" when you run the Rsync Task?

ZFS encryption is agnostic to transferring files (in the plain) to another non-ZFS source with a file-based tool. It should have no effect, either way.


How did you configure this Rsync Task? Are you actually rsync'ing to an SMB Share or to Windows 10 via SSH?

 

[Alfnie]

You have violated Ordinance 1263, section 4.02 P3: Bumping your own thread before ten business days have passed. Stay where you are. Do not move. You have the right to an attorney.




Is it "locked" when you run the Rsync Task?

ZFS encryption is agnostic to transferring files (in the plain) to another non-ZFS source with a file-based tool. It should have no effect, either way.


How did you configure this Rsync Task? Are you actually rsync'ing to an SMB Share or to Windows 10 via SSH?

Oops, I had 3 days in mind, my apologies..

The dataset is unlocked until I reboot the TrueNAS, so I assume that it is unlocked then I run the Rsync Task.

Below are the settings of the Rsync Task.
I am rsyncing to an SMB Share on another Netgear NAS over the internal network (nog via SSH or anything).

Path	Remote Host	Remote Module Name	User
/mnt/NAS_STORE	192.168.2.83	BACKUP_TOTAL	root

Remote SSH Port:
22

Remote Path:
Direction:
PUSH

Schedule:
At 12:00 AM, only on Sunday

Short Description:
PushBackup NAS_STORE to BACKUP_TOTAL

Delay Updates:
true

Enabled:
true

 

[winnielinnie]

However, one dataset from the TrueNAS I have encrypted with passphrase, and this Folder on the USB-HDD says I don't have access to it.
So, how can I access the contents of the encrypted folder via Windows 10 PC?

Can you describe this better?

Are you saying that on your USB HDD, you will see the root directory (from your pool's root dataset itself), and then inside it you will see subfolders that match the names of your child datasets?

However, one subfolder in particular gives you "access denied"? This subfolder happens to coincide with the name of your encrypted dataset?

I am rsyncing to an SMB Share on another Netgear NAS over the internal network

You're not actually rsyncing it to an SMB Share, per se. You're syncing it via the rsync:// protocol.

But if this is a Netgear NAS, how come you're referencing Windows 10 in your first post?

 

[Alfnie]

But if this is a Netgear NAS, how come you're referencing Windows 10 in your first post?

My apologies, upon posting the destination was my Windows 10 PC, and the USB-HDD drive connected.
Then after my Post I thought 'let's try and see what happens if I do exactly the same but with the USB-HDD connected to the Netgear NAS.
Again, with the same Rsync Task, to another remote source (from Windows10 to NetgearNAS. The result was the same.

Can you describe this better?

Yes, after the Rsync Task is completed, there is one main directory (NAS_STORE, name of pool), and 2 sub-directories (Media_home and Unsorted_dump, names of two datasets). The dataset Unsorted_dump is encrypted with passphrase, when the NAS is stolen, the dataset is encrypted.
I can approach the USB-HDD directly connected in windows10, or via SMB to the Netgear NAS, so I can click the directories.
I can open the unencrypted directory, but can't access the encrypted directory. I hope this describes it better.

Are you saying that on your USB HDD, you will see the root directory (from your pool's root dataset itself), and then inside it you will see subfolders that match the names of your children datasets?

Yes, this is correct.
NAS_STORE (root directory, name of pool, so it's the pool's root dataset)
+Dataset Media_home (not encrypted)
+Dataset Unsorted_dump (encrypted, with passphrase)

However, one subfolder in particular gives you "access denied"? This subfolder happens to coincide with the name of your encrypted dataset?

Yes, to make it concrete:
Main folder is the NAS_STORE which is the name of the Pool with underlying subfolders/datasets.
Folder 1 (not encrypted): Media_home => purpose is public video's for home network
Folder 2 (encrypted): Unsorted_dump => private dump to sort out later (media/files etc.)
Folder 1 is available, and folder 2 gives the "access denied".

You're not actually rsyncing it to an SMB Share, per se. You're syncing it via the rsync:// protocol.

Ok, let's test if I understand this. I use the rsync protocol. The SMB is also a protocol, that I don't use. SMB has nothing to do with this, it's a property of protocol to connect with the drives-shares.

 

[winnielinnie]

Folder 1 is available, and folder 2 gives the "access denied".

That can't be because of ZFS encryption on the source pool. You're obviously saving it to an NTFS, exFAT, or FAT32 filesystem on the USB HDD, otherwise you wouldn't be able to access the files in Windows.

All your files and folders, from all datasets, should accessible, in the plain (unencrypted) on the USB HDD. Perhaps it's a Windows' permission/security issue?

Something is not adding up...

 

[Alfnie]

That can't be because of ZFS encryption on the source pool. You're obviously saving it to an NTFS, exFAT, or FAT32 filesystem on the USB HDD, otherwise you wouldn't be able to access the files in Windows.

All your files and folders, from all datasets, should accessible, in the plain (unencrypted) on the USB HDD. Perhaps it's a Windows' permission/security issue?

Something is not adding up...

Ok, that rules some things out.
Any directions/ideas for me how I can troubleshoot this?

I have looked into the settings of USB-HDD via the Netgear browser.
The drive is formatted EXT4, the share is accesible with SMB and RSYNC, the authorization is Everyone Read/Write.
This seems ok to me.

Im not sure how to proceed

--update-- Can it be that I Push the Rsync backup job from the TrueNAS with some Read-only attributes and to some unknown user?

 

[winnielinnie]

The drive is formatted EXT4

USB-HDD connected to my Windows 10 PC

EXT4? Then how are you accessing it in Windows 10?


You'll need to share the Rsync configuration, and the info of the destination drive. We're only shooting in the dark at this point.

I can tell you that ZFS encryption doesn't transfer to a non-ZFS filesystem. (So keep in mind that your data on the USB HDD is not encrypted.)

 

[Alfnie]

EXT4? Then how are you accessing it in Windows 10?


You'll need to share the Rsync configuration, and the info of the destination drive. We're only shooting in the dark at this point.

I can tell you that ZFS encryption doesn't transfer to a non-ZFS filesystem. (So keep in mind that your data on the USB HDD is not encrypted.)

Thanks for your ongoing help on this matter. I made some infographic to visualize my setup including some printscreens. See below.
Please let me know if you need other information about Rsync configuration or anything.

 

[winnielinnie]

I can only read English, but here's what I gathered, which you might find helpful and possibly lead to a solution:

1. This is a permissions issue. (Nothing to do with encryption.) On your ReadyNAS, you need to review/edit the ownership and permissions to allow the username (that you provided the first time you connected via SMB) to access the folders and files.
2. According to your screenshot, "Media_home" is not encrypted on TrueNAS. (You claim it is.) Nevermind. It's how you worded it that threw me off. You know it's unencrypted.
3. Encryption is irrelevant once the data leaves TrueNAS (ZFS). Your files, even from encrypted sources, are saved in the plain (non-encrypted) on your ReadyNAS USB HDD.

 

[Alfnie]

I can only read English, but here's what I gathered, which you might find helpful and possibly lead to a solution:

1. This is a permissions issue. (Nothing to do with encryption.) On your ReadyNAS, you need to review/edit the ownership and permissions to allow the username (that you provided the first time you connected via SMB) to access the folders and files.
2. According to your screenshot, "Media_home" is not encrypted on TrueNAS. (You claim it is.) Nevermind. It's how you worded it that threw me off. You know it's unencrypted.
3. Encryption is irrelevant once the data leaves TrueNAS (ZFS). Your files, even from encrypted sources, are saved in the plain (non-encrypted) on your ReadyNAS USB HDD.

I have tried this weekend to fix the permissions issue, but without any luck.

Since it does not have anything to do with the TrueNAS side and corresponding encrypted datasets, I am not sure if this is the right place to ask for help. Any idea where I can find further help in troubleshooting this network permission issue?

Thanks for ruling out some of the issues.

 

[winnielinnie]

I have tried this weekend to fix the permissions issue, but without any luck.

What did you try?

 

[chuck32]

So all datasets get created by the same rsync task and all folders are shared at one level higher via truenas smb?
-> basically all permissions should be the same if I'm not wrong
Your other encrypted datasets created with the same task are accessable to you?


Can you try creating a share directly for the unsorted_dump folder and see if you can access that?

 

[Alfnie]

What did you try?

I have set ownership and permissions on ReadyNAS to allow username 'nsteve' to access folders and files, which is the user which I log in and which has access to other shares to ReadyNAS.

 

[Alfnie]

So all datasets get created by the same rsync task and all folders are shared at one level higher via truenas smb?
-> basically all permissions should be the same if I'm not wrong
Your other encrypted datasets created with the same task are accessable to you?


Can you try creating a share directly for the unsorted_dump folder and see if you can access that?

Yes, I tried this via CMD, no luck.

mkdir \\192.168.2.83\backup_total\Unsorted_dump\test
Access Denied

 

[chuck32]

Yes, I tried this via CMD, no luck.

I meant creating a share in truenas for that folder specifically.

Currently you created a share of backup_total if I understand correctly and that contains subfolders, one of which you cannot access. I meant you could test whether you can access the folder if you create a SMB share to that subfolder directly, i.e. sharing unsorted_dump directly.