I was in the process of migrating my pools from legacy to native encryption and I came across an issue.
My assumptions:
1) If the encryption keys are stored in the TrueNAS config db and;
2) the config db is stored on the system dataset and;
3) its considered best practice to store the system dataset on the main (non-boot) pool (presumably as these have higher redundancy / durability)
4) the system dataset should be encrypted as it contains sensitive information
How do you:
a) is there an option to encrypt the system dataset? I only see an option set on which zpool the system dataset should reside.
b) if the system dataset can be encrypted, how does truenas load the decryption key from the db if its on an encrypted dataset.
c) if the system dataset is not encrypted, how can I ensure that the keys are not readable should one of the disks fail on the main pool?
My assumptions:
1) If the encryption keys are stored in the TrueNAS config db and;
2) the config db is stored on the system dataset and;
3) its considered best practice to store the system dataset on the main (non-boot) pool (presumably as these have higher redundancy / durability)
4) the system dataset should be encrypted as it contains sensitive information
How do you:
a) is there an option to encrypt the system dataset? I only see an option set on which zpool the system dataset should reside.
b) if the system dataset can be encrypted, how does truenas load the decryption key from the db if its on an encrypted dataset.
c) if the system dataset is not encrypted, how can I ensure that the keys are not readable should one of the disks fail on the main pool?