-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Lock an Encrypted Dataset
- Thread starter mro
- Start date
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
Is it a passphrase protected dataset or did you use a keyfile?
Key File that i took from the Source Truenas Box
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
Oh well thats not a good design. Thanks for the info.
- Joined
- Apr 24, 2020
- Messages
- 5,399
I don’t believe that’s actually the case. There’s a pull-down menu at the right of the dataset underneath the 3 dots, and there should be a “Lock” option in that menu for an unlocked dataset.
Could not see that at all
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
Agreed.
I can understand the justification for preventing the top-level root dataset from being locked if the System Dataset (.system) resides on that pool. Hence, why TrueNAS prevents you from moving the .system dataset to a pool in which the top-level root dataset is encrypted with a passphrase.
Why did they remove the option to "Lock" a dataset that doesn't use a passphrase? I think it's an artifact of how it was designed with handling GELI (legacy encryption) from version 11.x and earlier. There's no logical reason for preventing a user from locking an encrypted dataset that uses a keyfile instead of a passphrase, aside from the exception explained above in regards to protecting .system.
In the above screenshot, there are no child datasets nested underneath "playground". The dataset is encrypted, using a keyfile.
Last edited:
HarambeLives
Contributor
- Joined
- Jul 19, 2021
- Messages
- 153
I came across this thread from a Google Search, and also found no way to lock the dataset.
This becomes a much bigger problem when you take into replication. The replication task attempts to match the GID's, not the usernames. So a replicated dataset gets a random mix of users from the second NAS unless all GID's match (And what are the chances of that?)
Now I have an unlocked dataset that can't be locked, which has a random mix of user permissions, and it can't be edited as its read only!
This becomes a much bigger problem when you take into replication. The replication task attempts to match the GID's, not the usernames. So a replicated dataset gets a random mix of users from the second NAS unless all GID's match (And what are the chances of that?)
Now I have an unlocked dataset that can't be locked, which has a random mix of user permissions, and it can't be edited as its read only!
- Joined
- Jan 1, 2016
- Messages
- 9,703
Export the pool and import it again, the datasets will be locked until unlocked again.
Perhaps consider using passphrases on datasets you want to lock/unlock on demand and never encrypt/lock the root dataset (also, don't put any content you want protected in it).
Don't forget what you're protecting against here... Protecting with keys makes sure the disks can't be used in any other system if removed, but doesn't prevent content from being accessed locally, nor in replicated copies where the keys are supplied on the replica server.
Passphrase locked datasets are protected against use even in the local system until somebody unlocks them with the passphrase (at which point the content is open to all with access to the server, including replication... but replication is at block level, so the encryption method will ensure that the passphrase is required on the replica also)
GELI/Legacy encryption is different and I'm not talking about that here, only Native ZFS encryption.
HarambeLives
Contributor
- Joined
- Jul 19, 2021
- Messages
- 153
I've moved the system dataset off the pool
Is it okay to go and change the encryption to passphrase now, or should I re-create the pool?
Is it okay to go and change the encryption to passphrase now, or should I re-create the pool?
HarambeLives
Contributor
- Joined
- Jul 19, 2021
- Messages
- 153
Answered my own question, yes you can just change it. Works great
