Hello! I've recently upgraded to TrueNAS 12 and am migrating my GELI-based legacy password encryption over to ZFS-native encryption. My previous pool used password encryption, which is a property that I want to preserve. Specifically, I'd like none of my data (including jail filesystems) to be available until an admin has entered an unlock password.
Since TrueNAS's encryption support prohibits use of password protection on the root dataset of the ZFS pool that hosts the system dataset, and I want to use my main pool for the system dataset, I've enabled key-based encryption for the root dataset in the pool. Then, I created a password-protected dataset underneath of the root dataset called "enc" where I plan to house all of the data that I want to be password-protected.
When I backed up my legacy data in preparation for the transfer, I also recursively backed up my iocage datasets and restored them to my "enc" directory so they become password-protected. However, I am running into a problem: as far as I can tell, iocage will only install to /mnt/pool-name/iocage, and will not acknowledge the /mnt/pool-name/enc/iocage path that I unpacked the jails into. I even tried changing the mountpoint of /mnt/pool-name/enc/iocage to /pool-name/iocage and this doesn't fool the iocage tool, which still tries to initialize datasets at the fixed path and will fail.
So far, a few options come to mind:
Side question: If I do use a password-protected dataset for my jails, will TrueNAS be smart enough like FreeNAS 11 to not try and launch the jails until the dataset has been unlocked, and then launch all autostart jails when it has?
Thanks in advance for any insight/guidance!
Since TrueNAS's encryption support prohibits use of password protection on the root dataset of the ZFS pool that hosts the system dataset, and I want to use my main pool for the system dataset, I've enabled key-based encryption for the root dataset in the pool. Then, I created a password-protected dataset underneath of the root dataset called "enc" where I plan to house all of the data that I want to be password-protected.
When I backed up my legacy data in preparation for the transfer, I also recursively backed up my iocage datasets and restored them to my "enc" directory so they become password-protected. However, I am running into a problem: as far as I can tell, iocage will only install to /mnt/pool-name/iocage, and will not acknowledge the /mnt/pool-name/enc/iocage path that I unpacked the jails into. I even tried changing the mountpoint of /mnt/pool-name/enc/iocage to /pool-name/iocage and this doesn't fool the iocage tool, which still tries to initialize datasets at the fixed path and will fail.
So far, a few options come to mind:
- If there is a way to tell TrueNAS / iocage to use my encrypted path as the iocage dataset instead of the default, that might work.
- If there is a way to have iocage register/manage jails in a different directory, I can manually import each jail from the encrypted dataset in.
- I could always move the system volume off my pool and onto my boot dataset and then password-protect my entire pool. I don't really want to do that since my boot dataset isn't too large, but maybe I can if I have to.
Side question: If I do use a password-protected dataset for my jails, will TrueNAS be smart enough like FreeNAS 11 to not try and launch the jails until the dataset has been unlocked, and then launch all autostart jails when it has?
Thanks in advance for any insight/guidance!