SOLVED Question about encryption

[Shiroi Kage]

So I made the mistake of building my pool and having it unencrypted. I want to know my options.

Q1: Can FreeNAS encrypt a volume in place? I can deal with my data being inaccessible for the duration of the process if that's the only option.
Q2: How does accessing the encrypted files work? Do I just log in normally? Does the data get decrypted by the FreeNAS box, or does it get decrypted by the client PC?

Thanks in advance for all the help.

 

[danb35]

So I made the mistake of building my pool and having it unencrypted.

This is almost certainly a good thing, not a mistake.

Q1: Can FreeNAS encrypt a volume in place?

No.

Does the data get decrypted by the FreeNAS box,

Yes. The purpose of disk encryption is to protect against data compromise by theft of hard disks (as long as the thief doesn't also take your boot device, which has the encryption keys on it). Once the system is booted and the pool is mounted, everything's available as though decrypted.

 

[Shiroi Kage]

This is almost certainly a good thing, not a mistake.

How come? Does it come with a severe performance penalty?

No.

Oh :(

Yes. The purpose of disk encryption is to protect against data compromise by theft of hard disks (as long as the thief doesn't also take your boot device, which has the encryption keys on it). Once the system is booted and the pool is mounted, everything's available as though decrypted.

Oh, that's not what I imagined it being used as. I see now. So it's pretty useless if you're living somewhere super safe and your house isn't really one to invite burglaries, and/or your NAS box is too heavy to carry.

 

[danb35]

Does it come with a severe performance penalty?

Not as far as I know. But FreeNAS' implementation prioritizes security over availability, meaning that if something goes wrong, there's a significant chance of losing your data. Unless you have a specific legal or regulatory requirement that data at rest be encrypted, we tend to discourage it pretty strongly in favor of something like VeraCrypt. Dataset-level encryption will be coming at some point, and that would be less risky--but the way it is right now (as far as the GUI is concerned), it's either on or off for the entire pool.

So it's pretty useless if you're living somewhere super safe

There's always the risk of burglary, but yes, the chance of someone breaking in and pulling the disks out, rather than taking the entire system, seems pretty low.

Encryption would also protect against any data compromise when decommissioning disks, but in most cases that seems like a pretty remote concern.

 

[Shiroi Kage]

Encryption would also protect against any data compromise when decommissioning disks, but in most cases that seems like a pretty remote concern.

I guess I'll have to write 0s to my desks before getting rid of them. Should be just as good as encryption I reckon, especially when I'm unlikely to get rid of an entire array at once.

Thanks for all the answers!

 

[danb35]

As a practical matter, the likelihood of someone recovering any significant amount of data from a single disk in a parity RAID array is very small (even smaller if you have multiple vdevs, as data is then striped across them). If the disk hasn't totally failed, you can zero it, you can run DBAN, or any of a number of other things to reduce that probability even more. It's all about the trade-offs.