hearts12181
Cadet
- Joined
- Jul 1, 2012
- Messages
- 3
I'm migrating from TrueNAS Core 11.3 to 12.0-U6 and am migrating the data to the new ZFS encryption scheme. I see that you can either encrypt using a HEX key or a passphrase. I just want to understand how each type works and the pros / cons of each method.
- If using the key method, is it correct that the key is stored inside the system dataset and therefore, the pool is automatically unlocked upon reboot?
- If yes, then is the benefit of this method that the access to the data is convenient (and you can throw away the hard drives without wiping them), but at the cost that if the entire computer is taken (with TrueNAS installed) then the data is effectively not encrypted because the pool will unlock without intervention?
- If using the key method, is there any way to set the key storage location to be outside of the system dataset, like on a USB key drive? That way, you can physically remove the USB key drive and the pool will not unlock upon reboot?
- If using the key method, is there a way to temporarily "lock" the pool while the system is on? I don't see any option to do this -- it looks like using the key method, the pool is always unlocked when the system is powered on.
- If yes, then is the benefit of this method that the access to the data is convenient (and you can throw away the hard drives without wiping them), but at the cost that if the entire computer is taken (with TrueNAS installed) then the data is effectively not encrypted because the pool will unlock without intervention?
- If using the passphrase method, it is correct that there is no key stored on the system and therefore, the pool cannot be accessed upon reboot without a person typing in the password after boot?
- If yes, then is the benefit of this method that there is added protection to unauthorized access to the data upon reboot, but at the cost of convenience and automation?
- If using the passphrase method, is there a way to temporarily "lock" the pool while the system is on? And then unlock it upon entry of the password?
- While the pool is locked, is it correct that tasks such as snapshots, scrubs, resilver, etc. would continue to work correctly? In other words, it is correct that you don't need to unlock the pool to perform these ZFS tasks?
- If yes, then is the benefit of this method that there is added protection to unauthorized access to the data upon reboot, but at the cost of convenience and automation?
Last edited: