Newbie - cannot find setting to backup encryption keys

[Giacomo_W]

I am completely new in the world of truenas.
So if I doe things wrong or have to share more info please tell me.

I have set up Truenas an version TrueNAS-12.0-U2.1 is up and runing.
Recently I had an issue and had to go through several settings to get things up and running again.
At that time I did not know how or where to backup things.

I looked it up in the maual/documentation, but the screenshots ofthe pool action menu is different from the one I see.
manual site : https://www.truenas.com/docs/core/
It says in the manual that I have to select Export Dataset Keys, see screenshot 1

But I do not have that option in my menu, see screenshot 2

I found the backup for the configuration in system.
So I generated a .tar file, but now I miss the dataset keys.

Can it be that I forgot to encrypt the datset en therefore I do not see this option?
I can not remember doing this because I setup the nas togethet with a friend

Can someone tell me if I miss out on something?
Please advise?

 

[winnielinnie]

What is the output of:

zfs get encryption poolname

Substitute poolname for your actual pool.

 

[Giacomo_W]

thanks for your quick response winnielillie
output is: "poolname encryption off default"
So I understand the pool is not encrypted
Can I still now encrypt it, or do I have to remove or recopy all data to do so?

 

[winnielinnie]

Based on that output, it appears that encryption was not enabled during pool creation. (It's a bit misleading, since it does not prevent you from encrypting new child datasets independently of the root dataset's property.)

However, it sounds like you already filled everything up with data on these (default) non-encrypted datasets?

You can recreate the pool, enable encryption, and from this point forwards newly created child datasets will inherit (by default) the root dataset's encryption properties. BE CAREFUL, as this involves destroying data, and I am not sure how many copies of your data exists, let alone your backup routine, let alone if you still have an "original" pool with everything up-to-date. Absolutely backup your encryption keys (and keep them safe, and possibly as multiple copies) when everything checks out.

If you want to double-check your child datasets, you can invoke the "recursive" option, and glance through the output:
zfs get -t filesystem -r encryption poolname

 

[Giacomo_W]

I checked the entire dataset as you suggested.
There is no encryption on the dataset at all.

If I want tot recreate the pool, as you suggest, do I have to start from scratch?
Or can I just remove the data and encrypt the set?
The data is no problem, because I have that covered multiple times.
The only thing I mis out on is the system backup of my laptop.
But that I can easily restart after recreating the dataset.

So what what would you advise I should do if I want ot have the dataset encryptred?

Thanks in advance for your advise.

 

[winnielinnie]

The simplest and least complex method would be to simply create a new pool from scratch, check the "Encryption" box, and then any new child datasets created on this pool will inherit the root dataset's encryption properties by default. (Likewise, any datasets created under another dataset will inherit the encryption properties of the parent, by default. You can always "break away" from this default inheritance by manually unchecking "Encryption" if you desire.) Any files copied to these new child datasets will be encrypted. (When you export/backup this new pool's dataset encryption key(s), it will work for all datasets. Keep this file safe, and preferably make multiple copies of it. If you trust your email or cloud storage provider, then attach/upload a copy of this file to yourself. If you lose the key, you can never access the data again.)

If the fact of destroying this currently non-encrypted pool (and its datasets) is not an issue nor concern, then the above method should work smoothly.

 

[Giacomo_W]

Because I never created a pool before, I am really a newbie, I wonder.
Is it wise to make screenshots of the settings as they are now for the set and children?
I can imagine that these setting in general wil be the same in the new encrypted pool.
If that is the case it would make it easier to get things up and running again.

 

[winnielinnie]

My own philosophy is: slower is better, no need to rush

Doesn't hurt to take screenshots and notes of your current settings and pool configuration. My hunch is that your child datasets are inheriting their parents' properties, all the way up to the root dataset.

You can usually leave the pool and dataset options at their defaults, as they work fine for SMB Shares, archives, and streaming multimedia.

Encryption or non-encryption is one of those properties that cannot be removed/added after it is initially set.

 

[Giacomo_W]

I agree. Speed is the mother of a lot of mistakes
I am going to double check all data I have now on my nas, save it if necessary.
Make screenshots of the setting, pages and then create a new pool.
I wil come back with the results, but that can take a few days.
As you said, "no need to rush, slower is better".
Thank you for your clear advise winnielinnie.

 

[Giacomo_W]

Well, as I said, it will take a while and it did.
Lots of other things to do.
But then when I started, everything went well. All is set and my backups are up and running.
I did not forget to backup settings and keys, so if something goes wrong (no raid) everything can be restored easily (I hope ).
Again thanks winnielinnie for your help.

Now I have another problem (updates are not coming in), but I have to open a new thread for that.

For me this thread can be closed.