where to place System dataset

[phier]

Hello,
at the moment i run TrueNAS as VM; i have main pool encrypted (pass protected) and its created from the drives which are pass through to the VM.

What is the best practice regarding the System Dataset location ; i read manual and its not good idea to put it to the boot-pool as during the backup there are issues etc.

Is it good idea to put it back to my main pool - which is encrypted ; ie each time i boot TrueNAS i have to first provide pass to unlock that pool.


Thanks!

 

[winnielinnie]

i read manual and its not good idea to put it to the boot-pool as during the backup there are issues etc.

Why would the System Dataset being located on the boot-pool interfere with your backups? Can you link the manual where it says that?

Is it good idea to put it back to my main pool - which is encrypted ; ie each time i boot TrueNAS i have to first provide pass to unlock that pool.

You won't be able to. TrueNAS prevents placing the System Dataset on a pool in which the top-level root dataset is encrypted and protected with a passphrase.

 

[theflyiingdutchman]

@winnielinnie does this mean that there’s no way to protect the encryption keys and other sensitive info in the system dataset?

 

[winnielinnie]

@winnielinnie does this mean that there’s no way to protect the encryption keys and other sensitive info in the system dataset?

The System Dataset does not contain your encryption keys. They are located (in plain) on the boot-pool. They need to be available upon reboot to automatically unlock pools that are protected with a key (rather than passphrase.)

You can put the System Dataset on your main pool, even with encryption. However, the top-level root dataset of this pool cannot be protected with a passphrase: it needs to be a key. The reason for this is because if the System Dataset is located on this pool, it must available early on during the bootup process. This is not possible if you use a passphrase on the top-level root dataset, which would require you to manually unlock it after bootup. (And hence the System Dataset is not available early enough.)

 

[theflyiingdutchman]

Right now I only use password protected datasets. My only concern is the credentials for the cloud backup. I assume those might be stored on the boot pool as well. Are you saying there is no solution to encrypt boot-pool secrets with a passphrase? Is theft of an entire machine not a concern?

 

[Davvo]

Quoting this from @sretalla :

1. Key Encryption protects against the loss/disposal/theft of any or all (except the boot media) disks in the server... each or even all of the data disks can't be used to access files stored under encryption without the system/boot pool. (examples: send an entire server by courier, but transport the boot media separately to ensure no access if the server is lost in transit... dispose of data disks without the need to wipe them... theft may not mean data leakage provided the entire server isn't stolen)

2. Passphrase Encryption protects against access to the data pools/datasets protected by it even if the entire system is stolen/disposed, but can't unlock automatically (without some tricks and tradeoffs of security). (example: server is stolen, but without the passphrase, data can't be recovered from the encrypted datasets)

If your assumption is that encryption (in all its forms) must/does guard against any kind of unauthorized access to all of your encrypted data, you're very badly mistaken.

If this isn't enough for you, look into SED (Self-Encrypting Drive).

 

[theflyiingdutchman]

Unfortunately my instance is virtualized