freenas-supero
Contributor
- Joined
- Jul 27, 2014
- Messages
- 128
As title says, I am in need of creating an offsite backup pool with latest Truenas. Current backup pool was created with Freenas 9 and used GELI key. I see that Truenas has changed the way encryption is done and geli keys are NO longer supported... Since this is a backup pool that will be stored offsite I need a strong level of protection.
I intend to destroy the old encrypted pool and repurpose the hard drives, once the new backup is up & running so no migration needed. I am simply asking a few questions here to understand well how encryption now works with Truenas and if I setup things properly.... I managed to get myself confused again while reading the documentation and forum threads)...
So here's what I want to achieve (very simple IMO):
Truenas backup server
-It should contain NO sensitive data about the encrypted pool (passphrases, keys, etc) (I dont care if someone steals its USB boot drive and gets the root password, settings, etc.... All I want to make sure is that NO information that could be used to unlock the encrypted pool is available on the server.)
The encrypted backup pool
-It will consist in a simple mirrored vdev on 2x 4TB drives
A secured USB stick
-The passphrase needed to unlock the encrypted pool will be stored on this USB stick (obviously located in a different physical location than the backup pool).
Someone gets their hands on the encrypted pool could not cannot access anything since they dont have the passphrase to unlock it.
Someone who steals the Truenas server would not have access to data allowing to unlock the encrypted pool.
Here's what I've done so far:
-Installed TrueNAS-13.0-U3.1 on a USB boot device (will migrate to SATADOM soon...)
-Created an encrypted mirrored pool
-Changed encryption type from keyfile to passphrase
-System complained that system dataset was located on the encrypted pool so I moved it to the USB boot drive (I know this is terrible but this server will run 10hrs per year at most and will be upgraded to a SSD/SATADOM very soon)
-Changed the encryption type to passphrase and it worked.
-Pool can be manually locked and unlocked from GUI.
Will this setup achieve the desired protection?
I am not sure if:
-Sensitive data allowing to unlock the encrypted pool will remain on the server's USB boot drive
-It will be possible to unlock the pool from any other Truenas server? (i.e. will I need this particular server to unlock the pool?)
-Any backdoor/pitfall you guys can see?
Sorry if some/all of the above is trivial for most... I just want to make sure I'm setting up things the proper way and should a disaster occurs, I'll have a reliable backup ready for me...
Thanks and Happy New Year!
I intend to destroy the old encrypted pool and repurpose the hard drives, once the new backup is up & running so no migration needed. I am simply asking a few questions here to understand well how encryption now works with Truenas and if I setup things properly.... I managed to get myself confused again while reading the documentation and forum threads)...
So here's what I want to achieve (very simple IMO):
Truenas backup server
-It should contain NO sensitive data about the encrypted pool (passphrases, keys, etc) (I dont care if someone steals its USB boot drive and gets the root password, settings, etc.... All I want to make sure is that NO information that could be used to unlock the encrypted pool is available on the server.)
The encrypted backup pool
-It will consist in a simple mirrored vdev on 2x 4TB drives
A secured USB stick
-The passphrase needed to unlock the encrypted pool will be stored on this USB stick (obviously located in a different physical location than the backup pool).
Someone gets their hands on the encrypted pool could not cannot access anything since they dont have the passphrase to unlock it.
Someone who steals the Truenas server would not have access to data allowing to unlock the encrypted pool.
Here's what I've done so far:
-Installed TrueNAS-13.0-U3.1 on a USB boot device (will migrate to SATADOM soon...)
-Created an encrypted mirrored pool
-Changed encryption type from keyfile to passphrase
-System complained that system dataset was located on the encrypted pool so I moved it to the USB boot drive (I know this is terrible but this server will run 10hrs per year at most and will be upgraded to a SSD/SATADOM very soon)
-Changed the encryption type to passphrase and it worked.
-Pool can be manually locked and unlocked from GUI.
Will this setup achieve the desired protection?
I am not sure if:
-Sensitive data allowing to unlock the encrypted pool will remain on the server's USB boot drive
-It will be possible to unlock the pool from any other Truenas server? (i.e. will I need this particular server to unlock the pool?)
-Any backdoor/pitfall you guys can see?
Sorry if some/all of the above is trivial for most... I just want to make sure I'm setting up things the proper way and should a disaster occurs, I'll have a reliable backup ready for me...
Thanks and Happy New Year!