How to lock datasets after unlocking and locking advantage

flmmartins

flmmartins

Dabbler
Joined
Sep 19, 2022
Messages
31
Hello all,

Thanks for reading this! I have 2 questions:

1. I have 2 machines. Each has it's own pool: on source it is called default and on destionation the pool is called backuphd.

I replicated my default pool to backuphd/default_replication. On the backuphd/default_replication I pressed Unlock cause I wanted to see if replication actually worked but now my dataset appears unlocked. How can I lock it again with the source encryption key?

I have already entered the encryption menu and tried to encrypt again with the same key doing like the below (omitted the key ofc):

1699113221259.png



2. I was just wondering.... What's the benefit of encrypting a pool if, in order to share it on the network they need to be unlocked?

Tks!
 
Last edited:
chuck32

chuck32

Guru
Joined
Jan 14, 2023
Messages
623
I'm not sure I follow, but unlocking does not decrypt the dataset permanently.

Go to Datasets and click on the dataset you want to lock. In the next menu, under ZFS encryption you find the button "Lock" -> it will lock the dataset again using the original encryption method.

flmmartins said:
2. I was just wondering.... What's the benefit of encrypting a pool if, in order to share it on the network they need to be unlocked?
Click to expand...
How would you access an encrypted dataset then?

Personally for me, I use passphrase encryption to be protected in case of physical theft of the machine.
 
Last edited:
flmmartins

flmmartins

Dabbler
Joined
Sep 19, 2022
Messages
31
Ah so unlocking doesn't mean it's decrypted. I thought from the moment you clicked unlock was decrypted. Okey so that's good!

I tried to find this option you mentioned but I couldn't find it. If I click on ZFS encryption it shows the image I pasted it. There's not a LOCK button

Tks for answering!
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
With ZFS, you use the umount/unload-key commands to lock the dataset. (It doesn't matter if it's a keystring or passphrase).

With TrueNAS, for some reason they removed the ability (from the GUI) to lock an encrypted dataset that uses a keystring.

It may be due to legacy reasons, or because they don't want you to accidentally lock the hidden ".system" dataset.
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
flmmartins said:
Ah so unlocking doesn't mean it's decrypted.
Click to expand...
When a dataset is "unlocked", it means that the Master Key is loaded in RAM, and hence you can decrypt the data.

But no matter what, once the system powers off or the drive(s) are removed, the Master Key is gone. (No longer in RAM. Data remains encrypted at rest.)
 
flmmartins

flmmartins

Dabbler
Joined
Sep 19, 2022
Messages
31
Thanks I can see this behaviour now that I did a detach and import pool ^^
 
You must log in or register to reply here.

Similar threads

K
Lock Dataset
Replies
1
Views
659
sretalla
sretalla
Black_Duck
Scale 22.12.1 - Locking and Unlocking a dataset appears to reset its Share ACL
Replies
0
Views
757
Black_Duck
Black_Duck
Y
Decryption Failed
Replies
2
Views
1K
yottabit
Y
seanthegeek
Why are encrypted datasets and zvols not locking on reboot?
Replies
3
Views
502
seanthegeek
seanthegeek
ChaosBlades
SOLVED Can not unlock pool after upgrade to 22.02.0.1 "directory is not empty" / Some Datasets mount empty with workaround
Replies
6
Views
2K
ChaosBlades
ChaosBlades
Top