TrueNAS CORE Nightly Development DocumentationThis content follows experimental early release software. Pre-release software is intended for testing purposes only.
Use the Product and Version selectors above to view content specific to a stable software release.
Storage Encryption
9 minute read.
TrueNAS supports different encryption options for critical data.
Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.
Data-at-rest encryption is available with:
- Self Encrypting Drives (SEDs) using OPAL or FIPS 140.2 (Both AES 256)
- Encryption of specific datasets (AES-256-GCM in TrueNAS 12.0)
The local TrueNAS system manages keys for data-at-rest. The user is responsible for storing and securing their keys. The Key Management Interface Protocol (KMIP) is included in TrueNAS 12.0.
Encrypting the root dataset of a new storage pool further increases data security. All datasets added to a pool with encryption applied inherit encryption. This means all datasets added to a pool with encryption are also encrypted.
Create a new pool and set Encryption in the Pool Manager. TrueNAS shows a warning.
Read the warning, select Confirm, and click I Understand.
We recommend using the default encryption in Cipher, but other ciphers are available.
TrueNAS can encrypt new datasets within an existing unencrypted storage pool without having to encrypt the entire pool. To encrypt a single dataset, go to Storage > Pools, open the more_vert for an existing dataset, and click Add Dataset.
In the Encryption Options area, clear the Inherit checkbox, then select Encryption.
Now select the authentication to use from the two options in Type: either a Key or Passphrase. The remaining options are the same as a new pool. Datasets with encryption enabled show additional icons on the Storage > Pools list.
The dataset locked/unlocked status is determined from an icon:
- The dataset unlocked icon: lock_open.
- The dataset locked icon: lock.
- A Dataset on an encrypted pool with encryption properties that don’t match the root dataset shows this icon:
NOTE: An unencrypted pool with an encrypted dataset also shows this icon:
You can only lock or unlock encrypted datasets when they are secured with a passphrase instead of a key file. Before locking a dataset, verify that it is not currently in use, then click (Options) and Lock.
Use the Force unmount option only if you are certain no one is currently accessing the dataset. After locking a dataset, the unlock icon changes to a locked icon. While the dataset is locked, it is not available for use.
To unlock a dataset, click more_vert and Unlock.
Enter the passphrase and click Submit. To unlock child datasets, select Unlock Children. Child datasets that inherited encryption settings from the parent dataset unlock when the parent unlocks. Users can simultaneously unlock child datasets with different passphrases from the parent by entering their passphrases.
Confirm unlocking the datasets and wait for a dialog to show the unlock is successful.
There are two ways to manage the encryption credentials, with either key files or passphrases.
Always back up the key file to a safe and secure location!
Creating a new encrypted pool automatically generates a new key file and prompts you to download it.
Manually download a copy of the inherited and non-inherited encrypted dataset key files for the pool by opening the pool settings menu and selecting Export Dataset Keys. Enter the root password and click CONTINUE.
To manually download a back up of a single key file for the dataset, click the dataset more_vert and select Export Key. Enter the root password and click CONTINUE. Click DOWNLOAD KEY.
To change the key, click the dataset more_vert and Encryption Options.
Enter your custom key or click Generate Key.
To use a passphrase instead of a key file, click the dataset more_vert and Encryption Options. Change the Encryption Type from Key to Passphrase.The passphrase is the only means to decrypt the information stored in a dataset using passphrase encryption keys. Be sure to create a memorable passphrase or physically secure the passphrase.
Set the rest of the options:
Passphrase is a user-defined string of eight to 512 characters in length, to use instead of an encryption key to decrypt the dataset.
pbkdf2iters is the number of password-based key derivation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Entering a number greater than 100000 is required.
TrueNAS Enterprise users can connect a Key Management Interoperability Protocol (KMIP) server to centralize keys when they are not using passphrases to unlock a dataset or zvol.
Users with TrueNAS CORE or Enterprise installations without KMIP should either replicate the dataset or zvol without properties to disable encryption at the remote end or construct a special json manifest to unlock each child dataset/zvol with a unique key.
This does not affect TrueNAS Enterprise installs with KMIP.
TrueNAS no longer supports GELI encryption (deprecated).
Data can be migrated from the GELI-encrypted pool to a new ZFS-encrypted pool. Unlock the GELI-encrypted pool before attempting any data migrations. The new ZFS-encrypted pool must be at least the same size as the previous GELI-encrypted pool. Do not delete the GELI dataset until you verify the data migration.
There are a few options to migrate data from a GELI-encrypted pool to a new ZFS-encrypted pool:
- Using the Replication Wizard
- Using file transfer
- Using ZFS send and receive
GELI encrypted pools continue to be detected and supported in the TrueNAS web interface as Legacy Encrypted pools. As of TrueNAS version 12.0-U1, a decrypted GELI pool can migrate data to a new ZFS encrypted pool using the Replication Wizard.
The web interface supports using Tasks > Rsync Tasks to transfer files out of the GELI pool.This method does not preserve file ACLs.