TrueNAS Open Storage Logo
TrueNAS.com Products Enterprise Support Community Support Truenas Security Get TrueNAS Enterprise Download TrueNAS Community Edition About TrueNAS Careers
TrueNAS Open Storage Logo
F-Series
F-Series

All-Flash NVMe Performance.

H-Series
H-Series

Big business performance. Entry level pricing.

Mini Series
Mini Series

Home Labs, Small Office & SMB Applications.

M-Series
M-Series

All-Flash or Hybrid Enterprise Performance.

R-Series
R-Series

Single Controller Storage Appliances.

TrueNAS Enterprise Icon
TrueNAS Enterprise

Mission Critical Storage. 24×7 Enterprise Support.

TrueCommand Icon
TrueCommand

Manage Your TrueNAS Fleet All From One Place.

Use Cases

Analytics Backup & Archival Cloud Data Mobility File Sharing
iX-Storj Media & Entertainment Surveillance Veeam Backup Virtualization

Industry

Audio Broadcasting Gaming Healthcare Manufacturing Media & Entertainment
Automotive Education Government MSP Research & AI

Support

Enterprise Support

For customers with active support contracts.

Community Support

For peer-to-peer, open-source support.

Resources

Case Studies Documentation TrueNAS API Apps Market TrueNAS Security FAQ ZFS Overview
TrueNAS Blog Solution Guides Datasheets Software Status Videos TrueCommand Cloud
TrueNAS Community Edition Community Forum Discord TrueNAS GitHub TrueNAS Merch Store
About TrueNAS Awards Careers Contact Us Our Clients Reviews
Contact Icon
Contact an Enterprise Specialist

Speak with an enterprise storage specialist to find the right solutions for your business needs.

TrueNAS Enterprise Icon
TrueNAS Enterprise

Enterprise-grade storage appliances designed for business and mission-critical environments.

TrueNAS Community Edition Icon
Download TrueNAS Community Edition

Test Drive TrueNAS in Your Environment.

  1. Documentation Hub
  2. /
  3. TrueNAS 25.10 (Early)
  4. /
  5. UI Reference Guide
  6. /
  7. Datasets
  8. /
  9. Encryption Settings
Edit page

Encryption Settings

  6 minute read.

Datasets, root, non-root parent, and child, or zvols with encryption include the ZFS Encryption widget in the set of dataset widgets displayed on the Datasets screen.

Dataset Tree Table Encryption Icons
Figure 1: Dataset Tree Table Encryption Icons

The Datasets tree table includes lock icons and descriptions that indicate the encryption state of datasets.

IconStateDescription
DatasetLockedEncryptionIconLockedDisplays for locked encrypted root, non-root parent and child datasets.
DatasetUnlockedEncryptionIconUnlockedDisplays for unlocked encrypted root, non-root parent and child datasets.
DatasetLockedByAncestorEncryptionIconLocked by ancestorDisplays for locked datasets that inherit encryption properties from the parent.
DatasetUnlockedbyAncestorEncryptIconUnlocked by ancestorDisplays for unlocked datasets that inherit encryption properties from the parent.

Dataset Encryption

The Encryption option on the Pool Manager screen sets encryption for the pool and root dataset.

TrueNAS 22.12.3 or later forces encryption for all child datasets and zvols within an encrypted root or parent dataset that are using the TrueNAS UI. However, datasets created outside of the UI, such as those created programmatically or manually via shell access, might not inherit encryption unless properly configured. For more granular control and awareness, we do not recommend users configure pool-level encryption of the root dataset. Instead, create an unencrypted pool and populate it with encrypted or unencrypted child datasets, as needed.

The Download Encryption Key warning window displays when you create the pool. It downloads a JSON file to your downloads folder.

Download Pool Encryption Key
Figure 2: Download Pool Encryption Key

The Encryption Options settings under Advanced Options on the Add Dataset screen configure encryption for that dataset.

Add Dataset Encryption Options Key
Figure 3: Add Dataset Encryption Options Key

Export Key Options

The ZFS Encryption widget for root datasets with encryption includes the Export All Keys and Export Key options. It does not include the Lock option.

If a dataset is encrypted using a key, the ZFS Encryption widget for that dataset includes the Export Key option.

Export All Keys Dialog

Export All Keys opens a confirmation dialog with the Download Keys option that exports a JSON file of all encryption keys to the system download folder.

Export All Keys
Figure 4: Export All Keys

Export Key Dialog

Export Key opens a dialog with the key for the selected dataset and the Download Key option that exports a JSON file with the encryption key to your system download folder.

Export Key
Figure 5: Export Key

Edit Encryption Options Window

Encryption type and options are set for a dataset when it is first created or are inherited from the root dataset. The Edit Encryption Options for datasetname displays the current encryption option settings for the selected encrypted dataset. Use to change the encryption type from or to key or passphrase, and the related settings.

The Edit Encryption Options for datasetname window opens with the current dataset encryption settings displayed. The encryption settings options are the same as those on Add Dataset > Encryption Options.

Encryption Options Key Type Window
Figure 6: Encryption Options Key Type Window
Encryption Settings

SettingDescription
Encryption TypeSelect the option for the type of encryption to secure the dataset from the dropdown list. Select Key to use key-based encryption and display the Generate Key option. Select Passphrase to enter a user-defined passphrase to secure the dataset. This displays two additional Passphrase fields to enter and confirm the passphrase and the pbkdf2iters field.
Generate keySelected by default to have the system randomly generate an encryption key for securing this dataset. Clearing the checkbox displays the Key field and requires you to enter an encryption key you define. Warning! The encryption key is the only means to decrypt the information stored in this dataset. Store encryption keys in a secure location! Creating a new key file invalidates any previously downloaded key file for this dataset. Delete any previous key file backups and back up the new key file.
KeyEnter or paste a string to use as the encryption key for this dataset.
AlgorithmDisplays for both key and passphrase encryption types. Select the mathematical instruction set that determines how plaintext converts into ciphertext from the dropdown list of options. See Advanced Encryption Standard (AES) for more details.
Passphrase
Confirm Passphrase		Enter the alpha-numeric string or phrase you want to use to secure the dataset.
pbkdf2itersEnter the number of password-based key deviation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Entering a number larger than 100000 is required. See PBKDF2 for more details.

Lock Dataset Dialog

Lock displays on encrypted non-root parent or child datasets ZFS Encryption widgets. An encrypted child that inherits encryption from a non-root parent does not see the Lock option on its ZFS Encryption widget because the lock state is controlled by the parent dataset for that child dataset. The locked icon for child datasets that inherit encryption is the locked by ancestor icon.

Lock opens the Lock Dataset confirmation dialog with the option to Force unmount and Lock the dataset. Force unmount disconnects any client system accessing the dataset via sharing protocol. Do not select this option unless you are certain the dataset is not used or accessed by a share, application, or other system services.

Lock Dataset Dialog
Figure 7: Lock Dataset Dialog

After locking a dataset, the ZFS Encryption screen displays Locked as the Current State and adds the Unlock option.

Unlock Datasets Screen

Unlock on the ZFS Encryption widget displays for locked datasets that are not child datasets that inherit encryption from the parent dataset. Unlock opens the Unlock Datasets screen, which allows you to unlock the selected dataset and child datasets simultaneously.

Unlock Non-Root Parent and Child Datasets Screen
Figure 8: Unlock Non-Root Parent and Child Datasets Screen

If you select a child dataset of the root dataset or a non-root parent, the screen includes only the one Dataset Passphrase field, and the option to Unlock Child Encrypted Roots pre-selected.

Unlock Datasets Screen
Figure 9: Unlock Datasets Screen
Unlock Dataset Settings
SettingDescription
Unlock Child Encrypted RootsSelect to unlock any encrypted dataset stored within this dataset.
Dataset Passphrase
Dataset Key		Enter the user-defined string (passphrase) or system-generated or user-created alpha-numeric key you entered when you created the dataset.
ForceSelect to add a force flag to the operation. In some cases the provided key/passphrase may be valid but the path where the dataset is supposed to be mounted after being unlocked already exists and is not empty. In this case, the unlock operation fails. Adding the force flag can override this and when selected, the system renames the existing dataset mount directory/file path and unlocks the dataset.
SaveStarts the unlock process, fetches data, and displays the Unlock Datasets dialog with the dataset mount path. Click Continue to unlock the dataset.
SaveStarts the unlock process, fetches data, and displays the Unlock Datasets dialog with the dataset mount path. Click Continue to unlock the dataset.

Related Content

UI Reference
Getting Started
Tutorials
General Reference

Have more questions?

For further discussion or assistance, see these resources:

Found content that needs an update?  You can suggest content changes directly! To request changes to this content, click the Feedback button located on the middle-right side of the page (might require disabling ad blocking plugins).