(408) 943-4100               V   Commercial Support

Storage Encryption

  6 minute read.

Last Modified 2021-04-01 12:00 EDT

TrueNAS supports different encryption options for critical data.

Users are responsible for backing up and securing encryption key files and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.

Data-at-rest encryption is available with:

Keys for data-at-rest are managed on the local TrueNAS system. The user is responsible for storing and securing their keys. The Key Management Interface Protocol (KMIP) is included in TrueNAS 12.0.

Encrypting a Storage Pool

Encrypting the root dataset of a new storage pool further increases data security. Create a new pool and set Encryption in the Pool Manager. TrueNAS shows a warning.

Storage Pools Add Encryption Warning

Read the warning, set Confirm, and click I Understand.

The default encryption Cipher is recommended, but there are other ciphers available.


TrueNAS supports AES Galois Counter Mode (GCM) and Counter with CBC-MAC (CCM) algorithms for encryption. These algorithms provide authenticated encryption with block ciphers.

Encrypting a New Dataset

New datasets within an existing storage pool can also be encrypted without having to encrypt the entire pool. To encrypt a single dataset, go to Storage > Pools, open the for an existing dataset, and click Add Dataset.


Look at the Encryption Options and, when the parent dataset is unencrypted, unset Inherit and set Encryption.


Now choose which Type of authentication to use: a Key or a Passphrase. The remaining options are the same as a new pool. Datasets with encryption enabled show additional icons in the Storage > Pools list.

Locking and Unlocking Datasets

The dataset status is determined from an icon:

  • Dataset unlocked icon:
  • Dataset locked icon:

Encrypted datasets can only be locked and unlocked if they are secured with a passphrase instead of a keyfile. Before locking a dataset, verify that it is not currently in use, then click   (Options) and Lock.


Use the Force unmount option only if you are certain that no one is currently accessing the dataset. After locking a dataset, the unlock icon changes to a locked icon. While the dataset is locked, it is not available for use.

To unlock a dataset, click and Unlock.


Enter the passphrase and click Submit. If there are child datasets that are locked with the same passphrase you can unlock them all at the same time by setting Unlock Children. Confirm unlocking the datasets and wait for a dialog to confirm the unlock is successful.


The dataset listing changes to show the unlocked icon.

Encryption Management

There are two ways to manage the encryption credentials: with Key Files or Passphrases:

Key Files

Creating a new encrypted pool automatically generates new key file and prompts to download it. Always back up the key file to a safe and secure location.


To manually back up a root dataset keyfile by opening the pool menu and selecting Export Dataset Keys.


To change the key, click the dataset and Encryption Options.


Enter your custom key or click Generate Key.



To use a passphrase instead of a keyfile, click the dataset and Encryption Options. Change the Encryption Type from Key to Passphrase.

Storage Pools Dataset Encryption Passphrase

Set the rest of the options:

  • Passphrase : User-defined string used to decrypt the dataset. Can be used instead of an encryption key. Must be longer than 8 characters.
    The passphrase is the only means to decrypt the information stored in this dataset. Be sure to create a memorable passphrase or physically secure the passphrase.
  • pbkdf2iters : Number of password-based key derivation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Entering a number larger than 100000 is required.

Legacy GELI Encryption

GELI encryption is deprecated in TrueNAS and no longer supported.

No. Data must be migrated out of the GELI pool and into a ZFS encrypted pool.

GELI Pool Migrations

Data can be migrated from the GELI-encrypted pool to a new ZFS-encrypted pool. Be sure to unlock the GELI-encrypted pool before attempting any data migrations. The new ZFS-encrypted pool must be at least the same size as the previous GELI-encrypted pool. Do not delete the GELI dataset until you have verified the data migration.

There are a few options to migrate data from a GELI-encrypted pool to a new ZFS-encrypted pool:

In future TrueNAS versions, a decrypted GELI pool will be able to migrate data to a new ZFS encrypted pool using an advanced Replication Task (NAS-107463). Until this time, GELI encrypted pools will continue to be detected and supported in the TrueNAS web interface, so you are not required to immediately migrate data away from GELI pools. Before using the command line to migrate data, it is recommended to consider the benefits and drawbacks of immediately migrating from GELI to ZFS.
This method does not preserve file ACLs.

The web interface supports using Tasks > Rsync Tasks to transfer files out of the GELI pool. In the Shell, rsync and other file transfer mechanisms (scp, cp, sftp, ftp, rdiff-backup) are available for copying data between pools.

These instructions are an example walkthrough. It is not an exact step-by-step guide for all situations. Research ZFS send/receive before attempting this. There are many edge cases that cannot be covered by a simple example.


GELI Pool = pool_a
Origin Dataset = dataset_1
Latest Snapshot of GELI Pool = snapshot_name
ZFS Native Encrypted Pool = pool_b
Receieving Dataset = dataset_2
  1. Create a new encrypted pool in Storage > Pools.
  2. Open the Shell. Make a new snapshot of the GELI pool and dataset with the data to be migrated: zfs snapshot -r pool_a/dataset_1@snapshot_name.
  3. Create a passphrase: echo passphrase > /tmp/pass.
  4. Use ZFS send/receive to transfer the data between pools: zfs send -Rv pool_a/dataset_1@snapshot_name | zfs recv -o encryption=on -o keyformat=passphrase -o keylocation=file:///tmp/pass pool_b/dataset_2.
  5. When the transfer is complete, go to Storage > Pools and lock the new dataset. After locking the dataset, immediately unlock it. TrueNAS prompts for the passphrase. After entering the passphrase and the pool is unlocked, you can delete the /tmp/pass file used for the transfer.
  6. If desired, you can convert the dataset to use a keyfile instead of a passphrase. To use a key file, click the dataset   (Options) and click Encryption Options. Change the Encryption Type from Passphrase to Key and save. Back up your key file immediately!
  7. Repeat this process for every dataset in the pool that needs to be migrated.