This thread is one of the top search results and I was quite confused after reading it so I thought I would post my findings here, in case anyone else comes across this.
== GELI vs ZFS native encryption
FreeNAS supported only GELI encryption. TrueNAS only supports ZFS encryption.
== TrueNAS encryption vs ZFS native encryption
TrueNAS doesn't implement it's own encryption. It uses ZFS native encryption under the hood (it just automates things that you can do on the cli).
== ZFS encryption
ZFS native encryption uses a "data encryption key". When creating an encrypted pool/dataset you select the length of this key. This key is what's actually being used for encrypting/decrypting data on disk. This key is stored in the pool/dataset metadata (e.g. on the same drive where the pool/dataset sits).
The "data encryption key" is encrypted using a "wrapping key". The wrapping key is derived from one of these two:
- password
- keyfile
You cannot access the "data encryption key" without having the "wrapping key". In other words, you cannot read the data on disk without knowing the password or having the keyfile.
This approach creates "a layer of abstraction" needed for a number of things. For example, if your password or keyfile were used for encrypting the drive (rather than the "data encryption key"), you wouldn't be able to change your password without re-encrypting the whole pool/dataset.
== How to use ZFS native encryption in TrueNAS
ZFS native encryption is the only option. You create an encrypted pool/dataset using the web UI.
== Default TrueNAS set up for encryption
When you create an encrypted pool/dataset in TrueNAS, it defaults to using the "wrapping" keyfile. Up to my best knowledge, it's not possible to create an encrypted pool/dataset using a password. You can create an encrypted pool (which will use a "wrapping keyfile") and then change to using a password.
The "wrapping keyfile" created by TrueNAS is stored in an sqlite file on the boot pool. The sqlite file is unencrypted. The values in sqlite are encrypted using a "master key" which is stored on the boot pool under `/data/pwenc_secret`.
So in total, when you use the TrueNAS UI to create an encrypted pool/dataset, there are 3 keys involved:
- zfs "data encryption key", stored in zfs metadata
- "wrapping" keyfile , which is used to decrypt the zfs "data encryption key", stored in sqlite on boot pool
- "master key" , which is used to decrypt the "wrapping key", stored in sqlite on boot pool
When the TrueNAS system boots, it uses the "master key" to decrypt the "wrapping" keyfile, which then is used to decrypt the zfs "data encryption key". There is no password involved here, that's why it can auto mount. In other words, if someone physically steals your machine, they will be able to access your data.
== TrueNAS exporting the wrapping keyfile
If you use the default TrueNAS "wrapping" keyfile, the key can be exported at creation of the pool/dataset (you will get a pop up in the web UI) or afterwards in the dataset options.
However, if you switch to using a password, the wrapping key will be switched from using a keyfile to using a password and in the process, the keyfile will be removed from sqlite. If the key is gone, it's not possible to export it. That's why the UI won't show an option to export the key once you switched to a password based "wrapping key".
== TrueNAS How to switch from using a keyfile to using a password
You can switch the wrapping key from being derived from a keyfile to being derived from a password (and the other way as well). Once you switch to a password, there will be two keys involved:
- zfs "data encryption key", stored in zfs metadata
- "wrapping" key, derived from password, used to encrypt the zfs "data encryption key", not stored anywhere (ideally you should use a password manager!)
- Storage -> Pools -> in the dataset options -> Encryption Options -> Encryption Type -> change from key to passphrase
Once you switch to password, you will have an option to lock your dataset:
- Storage -> Pools -> in the dataset options -> Encryption Actions -> Lock