Practical replication and encryption between home networks

[Darkhog]

I am trying to understand the best practice / easiest path for home NAS with offsite replication. Here's my setup -

Machine1
Pool1
Dataset1
Dataset11
Dataset12

Machine2
Pool2
Dataset2
BackupOfDataset1
Dataset11
Dataset12

Machine1 and Machine2 are each within a personal household, each with one pool, each with their own personal data, but also an encrypted replication of the pool on the other machine.

What I would like to do is have Machine1 on my home network, datasets encrypted, but automatically unlocked on reboots. Dataset1 should replicate to Machine2, but Machine2 root should not be able to understand its contents.

This is working for me using key encryption and basic replication, but once I unlock BackupOfDataset1 a single time on Machine2, the key is cached in the pool and it is unlocked through reboots. At this point I can Export the pool, then reattach it, and it will forget the key - but that seems heavy handed and error prone - I'll need to re-enter all the other keys, make sure shares don't break, etc.

What I would like is for Dataset1 to auto-unlock (via key or passphrase), and for BackupOfDataset1 to be able to be locked/unlocked (via key or passphrase). Is there a way to configure this way?

Thanks,

dave

 

[winnielinnie]

To this day, I don't understand why TrueNAS treats keystrings as a "one-way" permanent unlock (unless exported.) I supposed it's one for a feature request: an additional checkmark or toggle to set a dataset's encryption to have the ability to unload the key regardless of type (keystring or passphrase.)

Technically, you can manually use the "unload-key" command, but since it's not done via the GUI (or has an API for non-passphrase encryption as far as I'm aware), it could cause unusual behavior later on. TrueNAS is to be used as an appliance, not a tinkerer's OS.

Another alternative would be to avoid using a raw stream, and rather decrypt-then-encrypt-with-passphrase from the source to destination.

UPDATE: Not even possible with TrueNAS's built-in "cli" tool.

Code:

cli
storage dataset lock id="mypool/playground"
EFAULT: Only datasets which are encrypted with passphrase can be locked

UPDATE 2: I tested this using ZFS commands, and it "worked". By "worked" I mean that it appears nothing gets broken, but there's no telling down the line if an unusual quirk might manifest.

Code:

zfs umount mypool/playground && zfs unload-key mypool/playground

The dataset mypool/playground is unmounted and the encryption key is unloaded. I even verified this in the GUI under Storage > Pools. It correctly shows the dataset as being "locked".

I clicked on the dataset's properties, went to "Unlock", and then I was able to copy+paste the 64-character HEX keystring (or load the keyfile) to successfully unlock and mount the dataset like normal.

Personally, I would feel iffy about doing this, even though it does appear to work with TrueNAS.

 

[Darkhog]

Thanks @winnielinnie I appreciate you digging in. It does seem like some of the mainstream home nas situations have some snags in them, but maybe they are less mainstream than I think. In this case, having it retain my pass phrase through reboots feels pretty natural, since neither the passphrase nor the key is the actual key that interprets the bytes encrypted on disk, and it already does this for keys.

I prefer to not get off the well trodden path by self-managing ZFS with non-GUI commands. Thanks for doing the research though.