winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
I'm trying to understand what I'm reading across forum threads, here and elsewhere, in regards to per dataset encryption via OpenZFS 2.0.
1) Am I correct to assume that beginning with TrueNAS 12 / OpenZFS 2.0, that I can simply create pools without any underlying GELI/encryption, and then later decide to encrypt specific datasets as needed?
2) Would I be able to lock/unlock such datasets using a passphrase only, without a keyfile? (In the same way LUKS allows you to choose a keyfile or a passphrase per slot, and not force you to use a keyfile.) The way GELI is currently implemented on FreeNAS forces you to use a keyfile, even for a pool that contains only data with no jails, no plugins, and no system-dataset.
3) Would encrypting many separate datasets create a lot of CPU overhead as each decryption is a separate process (e.g, I have 8 encrypted datasets, and if data is being accessed through all of them, there will be 8 decryption processes)?
4) Could this get around the issue with the locking/unlocking restrictions for the system-dataset? In other words, even with many encrypted datasets, the system-dataset will have a special protection where it cannot be locked with a passphrase (as it decrypts during boot), even though all the other datasets on the same pool can still be encrypted and locked with a passphrase.
Is there a guide anywhere that explains this new encryption method and how it applies to TrueNAS? I believe there are also some implications for replication tasks as well?
1) Am I correct to assume that beginning with TrueNAS 12 / OpenZFS 2.0, that I can simply create pools without any underlying GELI/encryption, and then later decide to encrypt specific datasets as needed?
2) Would I be able to lock/unlock such datasets using a passphrase only, without a keyfile? (In the same way LUKS allows you to choose a keyfile or a passphrase per slot, and not force you to use a keyfile.) The way GELI is currently implemented on FreeNAS forces you to use a keyfile, even for a pool that contains only data with no jails, no plugins, and no system-dataset.
3) Would encrypting many separate datasets create a lot of CPU overhead as each decryption is a separate process (e.g, I have 8 encrypted datasets, and if data is being accessed through all of them, there will be 8 decryption processes)?
4) Could this get around the issue with the locking/unlocking restrictions for the system-dataset? In other words, even with many encrypted datasets, the system-dataset will have a special protection where it cannot be locked with a passphrase (as it decrypts during boot), even though all the other datasets on the same pool can still be encrypted and locked with a passphrase.
Is there a guide anywhere that explains this new encryption method and how it applies to TrueNAS? I believe there are also some implications for replication tasks as well?