Where Are The Encryption Keys Stored

[markds]

I was in the process of migrating my pools from legacy to native encryption and I came across an issue.

My assumptions:
1) If the encryption keys are stored in the TrueNAS config db and;
2) the config db is stored on the system dataset and;
3) its considered best practice to store the system dataset on the main (non-boot) pool (presumably as these have higher redundancy / durability)
4) the system dataset should be encrypted as it contains sensitive information

How do you:
a) is there an option to encrypt the system dataset? I only see an option set on which zpool the system dataset should reside.
b) if the system dataset can be encrypted, how does truenas load the decryption key from the db if its on an encrypted dataset.
c) if the system dataset is not encrypted, how can I ensure that the keys are not readable should one of the disks fail on the main pool?

 

[rakor]

Hey there I want to hang me in this thread. I have the same question. Where are the encryption-keys stored. As I understood, the keys are stored on the encrypted pool... So the pool could never be encrypted after reboot...
I saved the exported keyfile, but I really want to know how those keys are handeled.

Thanks for your help!

 

[motox]

in the docs I read that on the system dataset:

truenas.com/docs/core/system/systemdataset

"The system dataset stores debugging core files, encryption keys for encrypted pools, and Samba4 metadata such as the user and group cache and share level permissions.

but does anyone have more info in that regard?

 

[winnielinnie]

Stored on the boot-pool (in the plain). Otherwise, how else would the system be able to boot and proceed to automatically unlock the System Dataset (which is encrypted), if the key itself is stored on the encrypted System Dataset?

The path is /data/, which lives on the boot-pool. The file is freenas-v1.db which contains everything when you export your config file.

 

[sretalla]

I think what this thread seems to be missing is an understanding of what is protected by the 2 types of encryption offered...

1. Key Encryption protects against the loss/disposal/theft of any or all (except the boot media) disks in the server... each or even all of the data disks can't be used to access files stored under encryption without the system/boot pool. (examples: send an entire server by courier, but transport the boot media separately to ensure no access if the server is lost in transit... dispose of data disks without the need to wipe them... theft may not mean data leakage provided the entire server isn't stolen)

2. Passphrase Encryption protects against access to the data pools/datasets protected by it even if the entire system is stolen/disposed, but can't unlock automatically (without some tricks and tradeoffs of security). (example: server is stolen, but without the passphrase, data can't be recovered from the encrypted datasets)

If your assumption is that encryption (in all its forms) must/does guard against any kind of unauthorized access to all of your encrypted data, you're very badly mistaken.