What is key encryption really for?

[megatronico]

Good evening.

Sorry but I don't understand what Dataset encryption is for.

Ok, when the padlock is closed, the dataset is locked. So far, perfect.

But what functionality does it have when the lock is open? I see that the data is still accessible. And I have sent a file by e-mail to an external computer with nothing to do with TrueNAS and it does not appear encrypted or anything. That is, what is key encryption for?

I'm sorry if the question seems silly... but I've searched the documentation and the process is documented, but not the functionality, and I don't see anything clear.

Thank you.

Greetings.

 

[winnielinnie]

ZFS uses "encryption at rest".

This means the data is saved in an encrypted state on the dataset. Its only accessible when unlocked (which basically loads the master key into RAM which is used to encrypt/decrypt on-the-fly.)

This has nothing to do with encrypting data that is sent somewhere else, such as with email or to another computer.

 

[jgreco]

Encryption at rest protects data on your disks. In certain regulated environments, for example, such as financial (PCI-DSS) or medical (HIPAA), organizations have a legal duty to encrypt data to protect from disclosure.

If you've got a 12-bay NAS with 20TB HDD's in it storing financial transaction records, let's say Amazon processing of its credit cards, and a hard drive's controller chip fails, there is now an inaccessible HDD which cannot be overwritten. Statistically speaking, even though the records are interleaved across drives, there may be enough data to recover card numbers or other valuable data through analysis.

In most such cases, failed drives are fed to degaussers such as

Hard Drive Degaussers and Hard Drive Destruction Equipment

Dod and NSA compliant hard drive degaussers available now. Find the popular 1100 portable degausser wand or T-4 here! Hard drive degaussers are the ultimate hard drive destruction equipment. Visit Proton Data today to learn more.

www.protondata.com

and then often shredded. The military is famous for its use of thermite especially on the battlefield for emergency destruction of data. However, both of these have the downside that they can only be done at the end of a device's service life, when it is being disposed of.

Encryption at rest means that you can unplug a drive, and it can be safely shipped elsewhere, stored, etc., and if it happens to be lost or stolen, then the data on it is useless and appears random to whoever possesses the drive. This is really something you should do all the time with data of even moderate value, and systems such as Microsoft's BitLocker have been available for years. The main problem with encryption isn't its availability, but rather laziness... my favorite is people who rely on BitLocker on their laptops to "protect" their data, but who do not have a BitLocker password on the drive and have their user account set to auto-login. (makes shoot-self-in-head gesture).

Protecting your ZFS pool data at rest is just a component of a larger data protection strategy. It will not magically encrypt your e-mails or protect your other activities.

 

[megatronico]

Good afternoon.

Understood, thank you both very much.

All the best.