According to the FNAS manual, the system dataset stores debugging core files, encryption keys for encrypted pools, and Samba4 metadata such as the user/group cache and share level permissions. Unfortunately, it seems to be impossible to let this dataset reside on a pool which is encrypted with a passphrase. So I can only store it on the boot disk. Why is there no possibility to have this dataset on an encrypted pool? Or at least have a geli passwort at boot time... This is outright ridiculous that such sensitive information can't be encrypted with a passphrase.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
System Dataset and encryption
- Thread starter i716
- Start date
- Joined
- Apr 24, 2020
- Messages
- 5,399
This used to be possible in 11.2 and below. However, this introduced timing errors on boot with various services and system databases being unavailable, which led to the decision in 11.3 to force the system dataset pool not to have a passphrase.
In 12.0, the root dataset of the system dataset pool can be encrypted without a passphrase for the same reason, but daughter datasets can be encrypted with a passphrase.
In 12.0, the root dataset of the system dataset pool can be encrypted without a passphrase for the same reason, but daughter datasets can be encrypted with a passphrase.
I will try to clarify:
Lets say I have one disk, /dev/sda on which I install Truenas. What I would like is to just have this whole disk encrypted, so when I boot the machine I need to enter a password. From what I understand this is not possible. Compare this to choosing "encrypted LVM" when installing Debian.
Then lets say I add another disk /dev/sdb which I use in an encrypted dataset, with a passphrase, not stored on the machine.
www.truenas.com
Scenario:
Lets say someone steals my entire Truenas server. My understanding is that the dataset will be "safe" since the next time it boots, it needs my passphrase.
But my concern is, that there is a risk that some data or metadata from my encrypted dataset will be readable on the boot disk (sda), in some sort swap partition, cache, temp file, log files. metadata ....?
Lets say I have one disk, /dev/sda on which I install Truenas. What I would like is to just have this whole disk encrypted, so when I boot the machine I need to enter a password. From what I understand this is not possible. Compare this to choosing "encrypted LVM" when installing Debian.
Then lets say I add another disk /dev/sdb which I use in an encrypted dataset, with a passphrase, not stored on the machine.
Getting Started
This configuration guide provides step-by-step tutorials for installing and setting up TrueNAS CORE.
Scenario:
Lets say someone steals my entire Truenas server. My understanding is that the dataset will be "safe" since the next time it boots, it needs my passphrase.
But my concern is, that there is a risk that some data or metadata from my encrypted dataset will be readable on the boot disk (sda), in some sort swap partition, cache, temp file, log files. metadata ....?
- Joined
- Apr 24, 2020
- Messages
- 5,399
Swap is distributed over the disks of your data pool, and is automatically GELI-encrypted.
System databases are also resident on your data pool, if you've set that as the location of the system dataset under System->System Dataset.
The only thing on the boot pool is just the raw OS and boot loader.
System databases are also resident on your data pool, if you've set that as the location of the system dataset under System->System Dataset.
The only thing on the boot pool is just the raw OS and boot loader.
- Joined
- Apr 24, 2020
- Messages
- 5,399
You can verify this for yourself. Just run
mount | grep var. Everything with a possible security leak is in /var/db/system (the system dataset), and this will be within your data pool if you've configured System->System Dataset to host it outside your boot pool.I guess I'm yet again out of luck:
Without a passphrase, I guess the key is on the host -> automount? And I guess thats why a passphrase cannot be used? (It seemed strange to be able to have the system dataset on a disk that's not mounted automatically on boot...).
But with the key on the host, my "scenario" above still fails, if the system is stolen the encryption is useless unless it requires a passhprase on boot?
I have a really hard time understanding encryption with a key. The only scenario that would help is if I remove the disks from the system and throw them away. As long as the disks are in the server, and the server has the key, anyone that gains access to the (powered off) server can use the key to decrypt the disks... So at least the KEY should be password protected. But then I could just as well use a passphrase. So I guess the only(?) use-case for encryption with key is safe disposal of disks?
Or, if the full boot-partition is encrypted, that adds the inconvenience of having to type a password on boot, but then the keys are protected by that encryption and all is good.
I guess most servers are in a datacenters and the "someone steals my server" is more of a home-user problem.
Without a passphrase, I guess the key is on the host -> automount? And I guess thats why a passphrase cannot be used? (It seemed strange to be able to have the system dataset on a disk that's not mounted automatically on boot...).
But with the key on the host, my "scenario" above still fails, if the system is stolen the encryption is useless unless it requires a passhprase on boot?
I have a really hard time understanding encryption with a key. The only scenario that would help is if I remove the disks from the system and throw them away. As long as the disks are in the server, and the server has the key, anyone that gains access to the (powered off) server can use the key to decrypt the disks... So at least the KEY should be password protected. But then I could just as well use a passphrase. So I guess the only(?) use-case for encryption with key is safe disposal of disks?
Or, if the full boot-partition is encrypted, that adds the inconvenience of having to type a password on boot, but then the keys are protected by that encryption and all is good.
I guess most servers are in a datacenters and the "someone steals my server" is more of a home-user problem.
Last edited:
I have a use case, which is what I'm trying to do now. I'm gonna be shipping my NAS, and obviously, I want everything to be encrypted. My boot pool is on a pair of mirrored USB sticks.
I believe if everything is encrypted with keys, I can simply pull out the USB sticks, and have the heavy server sent via sea without worrying about it. I might add SED too, just for the sake of it.
Does anyone know that the key file for decrypting the encrypted pools and SED passwords are on the boot pool only?
Thanks,
I believe if everything is encrypted with keys, I can simply pull out the USB sticks, and have the heavy server sent via sea without worrying about it. I might add SED too, just for the sake of it.
Does anyone know that the key file for decrypting the encrypted pools and SED passwords are on the boot pool only?
Thanks,
