Encryption Settings

Datasets, root, non-root parent, and child, or zvols with encryption include the Encryption widget in the set of dataset widgets shown on the Datasets screen.

Dataset Tree Table Encryption Icons
Figure 1: Dataset Tree Table Encryption Icons

The Datasets tree table includes lock icons and descriptions that indicate the encryption state of datasets.

IconStateDescription
DatasetLockedEncryptionIconLockedDisplays for locked encrypted root, non-root parent and child datasets.
DatasetUnlockedEncryptionIconUnlockedDisplays for unlocked encrypted root, non-root parent and child datasets.
DatasetLockedByAncestorEncryptionIconLocked by ancestorDisplays for locked datasets that inherit encryption properties from the parent.
DatasetUnlockedbyAncestorEncryptIconUnlocked by ancestorDisplays for unlocked datasets that inherit encryption properties from the parent.

Dataset Encryption

The Encryption option on the Pool Manager screen sets encryption for the pool and root dataset.

TrueNAS 22.12.3 or later forces encryption for all child datasets and zvols within an encrypted root or parent dataset that are using the TrueNAS UI. However, datasets created outside of the UI, such as those created programmatically or manually via shell access, might not inherit encryption unless properly configured. For more granular control and awareness, we do not recommend users configure pool-level encryption of the root dataset. Instead, create an unencrypted pool and populate it with encrypted or unencrypted child datasets, as needed.

The Download Encryption Key warning window opens when you create the pool. It downloads a JSON file to the downloads folder on your system.

Download Pool Encryption Key
Figure 2: Download Pool Encryption Key

The Encryption Options settings under Advanced Options on the Add Dataset screen configure encryption for that dataset.

Add Dataset Encryption Options Key
Figure 3: Add Dataset Encryption Options Key

Export Key Options

The Encryption widget for root datasets with encryption includes the Export All Keys and Export Key options. It does not include the Lock option.

If a dataset is encrypted using a key, the Encryption widget for that dataset includes the Export Key option.

Export All Keys Dialog

Export All Keys opens a confirmation dialog with the Download Keys option that exports a JSON file of all encryption keys to the system download folder.

Export All Keys
Figure 4: Export All Keys

Export Key Dialog

Export Key opens a dialog showing the key for the selected dataset, and the Download Key button. Download Key exports the key to a JSON file and saves it in your system download folder.

Export Key
Figure 5: Export Key

Edit Encryption Options Window

Encryption type and options are set for a dataset when it is first created or are inherited from the root dataset. The Edit Encryption Options for datasetname displays the current encryption option settings for the selected encrypted dataset. Use to change the encryption type from or to key or passphrase, and the related settings.

The Edit Encryption Options for datasetname window opens with the current dataset encryption settings displayed. The encryption settings options are the same as those on Add Dataset > Encryption Options.

Encryption Options Key Type Window
Figure 6: Encryption Options Key Type Window
Encryption Settings

SettingDescription
Encryption TypeShows two encryption type options:
  • Key - Shows key-based encryption settings. Shows a system-generated key field, an option to use a manual entry key, and key-based encryption algorithms.
  • Passphrase - Shows text fields for manual or copy/paste entry of a passphrase, and passphrase authentication algorithms.
  • Generate keyShows when Encryption Type is set to Key. Selected by default and sets TrueNAS to generate a random encryption key for securing the dataset. Clearing the checkbox shows the Key field that accepts manual or copy/paste entry of an encryption key.
    Warning! The encryption key is the only means to decrypt the information stored in a key-encrypted dataset. Store encryption keys in a secure location! Creating a new key file invalidates a previously downloaded key file (for this dataset). Delete any previous key file backups and back up the new key file.
    KeyText entry field that accepts manual or copy/paste entry of an encryption key string to secure the dataset.
    AlgorithmShows a dropdown list of mathematical instruction algorithms that determine how plaintext converts into ciphertext for key and passphrase encryption types. See Advanced Encryption Standard (AES) for more details on each option.
    Passphrase
    Confirm Passphrase
    Text entry fields that accept manual or copy/paste entry of an alphanumeric string or phrase to secure the dataset.
    pbkdf2itersSets the number of password-based key deviation function 2 (PBKDF2) iterations used for reducing vulnerability to brute-force attacks. Entering a number larger than 100000 is required. See PBKDF2 for more details.

    Lock Dataset Dialog

    Lock shows on the Encryption widgets when you encrypt a dataset (or zvol) with a passphrase. An encrypted child that inherits encryption from an encrypted parent does not see the Lock option on its Encryption widget when the lock state is controlled by the parent dataset for that child dataset. The locked icon for child datasets that inherit encryption is the locked by ancestor icon.

    Lock opens the Lock Dataset confirmation dialog with the option to Force unmount and Lock the dataset. Force unmount disconnects any client system accessing the dataset via the sharing protocol. Do not select this option unless you are certain the dataset is not used or accessed by a share, application, or other system services.

    Lock Dataset Dialog
    Figure 7: Lock Dataset Dialog

    After locking a dataset, the Encryption screen displays Locked as the Current State and adds the Unlock option.

    Unlock Datasets Screen

    Unlock on the Encryption widget shows for locked datasets that are not child datasets that inherit encryption from the parent dataset. Unlock opens the Unlock Datasets screen, which is used when you unlock the selected dataset and child datasets simultaneously.

    Unlock Non-Root Parent and Child Datasets Screen
    Figure 8: Unlock Non-Root Parent and Child Datasets Screen

    If you select a child dataset of a root (pool-level) dataset or a non-root parent, the screen includes only the one Dataset Passphrase field, and the option to Unlock Child Encrypted Roots is pre-selected.

    Unlock Datasets Screen
    Figure 9: Unlock Datasets Screen
    Unlock Dataset Settings
    SettingDescription
    Unlock Child Encrypted RootsUnlocks any encrypted dataset stored within this dataset.
    Dataset Passphrase
    Dataset Key
    Text entry field that accepts manual or copy/paste entry of the user-defined string (passphrase) or system-generated or user-created alphanumeric key entered when you created the dataset.
    ForceAdds a force flag to the operation. In some cases, the provided key/passphrase might be valid, but the path where the dataset is supposed to be mounted after being unlocked already exists and is not empty. In this case, the unlock operation fails. Adding the force flag can override this, and when selected, the system renames the existing dataset mount directory/file path and unlocks the dataset.
    SaveStarts the unlock process, fetches data, and displays the Unlock Datasets dialog with the dataset mount path. Continue unlocks the dataset.
    SaveStarts the unlock process, fetches data, and displays the Unlock Datasets dialog with the dataset mount path. Continue unlocks the dataset.