Scale: Encrypt Kubernetes Volumes

[Sibi]

Hello Forum!
I'm new to TrueNAS and I have a question on Kubernetes:

Is it possible to encrypt the volumes used/created by the apps/k3s?

Background: I want to run e.g. Vaultwarden and would like to have my sensitive data encrypted. If I understand correctly, I have to put the ix-applications folder into an encrypted ZFS volume, but this would encrypt ALL applications. This would result in me having to decrypt the volume (after a crash or whatever) for all applications to come online again, right? Is it possible to split this up? Having some apps run encrypted (like vaultwarden) and some unencrypted (like pihole)?

Thank you very much for your help!
(I'm running TrueNAS-SCALE-22.02-RC.1-1)

Best regards,
Sibi

 

[truecharts]

We would suggest either encrypting it all or nothing.
Crash recovery of Apps is already a very hard field. You really should NOT overcomplicate it.

That's talking with a significant number of recovery tryouts done by now.

More so because the internal datasets under ix-applications are also not available in the UI. So you would need to do all sorts of CLI tricks to get it to work + you will have to figure out to adapt every backup, recovery and support advice to your own setup.

 

[Sibi]

ok, thanks for the info!

I want to keep things simple, so I will encrypt the complete disks and not run any services like pi-hole. They they can't auto start after a reboot, because they're waiting for the ix folder to be decrypted.

in a scenario in which my NAS is at a remote location and the UI reachable via a OpenVPN (it's a system service, so it's independent of decrypting the disks), what should I do after a blackout: connect to UI, decrypt the drives and run my checks?

 

[truecharts]

ok, thanks for the info!

I want to keep things simple, so I will encrypt the complete disks and not run any services like pi-hole. They they can't auto start after a reboot, because they're waiting for the ix folder to be decrypted.

in a scenario in which my NAS is at a remote location and the UI reachable via a OpenVPN (it's a system service, so it's independent of decrypting the disks), what should I do after a blackout: connect to UI, decrypt the drives and run my checks?

To be clear:
Absolutely should use keyfile encryption with the keys loaded into SCALE and NEVER passphrase or non-imported keyfiles.
For SCALE Apps to work stable the volume needs to be imported on boot.
Not doing the above might lead to issues and/or dataloss.

Autostart of Apps works fine though, even after a reboot.

 

[Sibi]

To be clear:
Absolutely should use keyfile encryption with the keys loaded into SCALE and NEVER passphrase or non-imported keyfiles.
For SCALE Apps to work stable the volume needs to be imported on boot.
Not doing the above might lead to issues and/or dataloss.

Autostart of Apps works fine though, even after a reboot.

Ok, please correct me if I'm wrong: encrypting the drives with the keyfile (stored in BOOT) enables the apps to autostart. AFAIK this protects the data stored on the device from being read after theft of a single drive. To completely protect the data from theft of the device, I've to add a sub-dataset being encrypted with a keyfile (not stored on Boot or the NAS) to protect me from someone stealing the whole NAS and reading my data, because it's not automatically decrypted at boot. Is this correct?
This would result in having to store sensitive data for k8s in an encrypted subvolume (via folder mount), because the PVC is stored in the root-dataset and therefore "only" protected from single drive theft.

 

[truecharts]

TrueNAS is not designed to be theft resistant.
The only two encryption designs that are known to be solid, are full encryption with a keyfile of the ix-applications dataset or no encryption at all.

We'll refrain from commenting on all sorts of hacky what-if scenario's/designs.

K.S.