Encryption Settings
6 minute read.
Datasets, root, non-root parent, and child, or zvols with encryption include the Encryption widget in the set of dataset widgets shown on the Datasets screen.
The Datasets tree table includes lock icons and descriptions that indicate the encryption state of datasets.
| Icon | State | Description |
|---|---|---|
 | Locked | Displays for locked encrypted root, non-root parent and child datasets. |
 | Unlocked | Displays for unlocked encrypted root, non-root parent and child datasets. |
 | Locked by ancestor | Displays for locked datasets that inherit encryption properties from the parent. |
 | Unlocked by ancestor | Displays for unlocked datasets that inherit encryption properties from the parent. |
The Encryption option on the Pool Manager screen sets encryption for the pool and root dataset.
TrueNAS 22.12.3 or later forces encryption for all child datasets and zvols within an encrypted root or parent dataset that are using the TrueNAS UI. However, datasets created outside of the UI, such as those created programmatically or manually via shell access, might not inherit encryption unless properly configured. For more granular control and awareness, we do not recommend users configure pool-level encryption of the root dataset. Instead, create an unencrypted pool and populate it with encrypted or unencrypted child datasets, as needed.
The Download Encryption Key warning window opens when you create the pool. It downloads a JSON file to the downloads folder on your system.
The Encryption Options settings under Advanced Options on the Add Dataset screen configure encryption for that dataset.
The Encryption widget for root datasets with encryption includes the Export All Keys and Export Key options. It does not include the Lock option.
If a dataset is encrypted using a key, the Encryption widget for that dataset includes the Export Key option.
Export All Keys opens a confirmation dialog with the Download Keys option that exports a JSON file of all encryption keys to the system download folder.
Export Key opens a dialog showing the key for the selected dataset, and the Download Key button. Download Key exports the key to a JSON file and saves it in your system download folder.
Encryption type and options are set for a dataset when it is first created or are inherited from the root dataset. The Edit Encryption Options for datasetname displays the current encryption option settings for the selected encrypted dataset. Use to change the encryption type from or to key or passphrase, and the related settings.
The Edit Encryption Options for datasetname window opens with the current dataset encryption settings displayed. The encryption settings options are the same as those on Add Dataset > Encryption Options.
Lock shows on the Encryption widgets when you encrypt a dataset (or zvol) with a passphrase. An encrypted child that inherits encryption from an encrypted parent does not see the Lock option on its Encryption widget when the lock state is controlled by the parent dataset for that child dataset. The locked icon for child datasets that inherit encryption is the locked by ancestor icon.
Lock opens the Lock Dataset confirmation dialog with the option to Force unmount and Lock the dataset. Force unmount disconnects any client system accessing the dataset via the sharing protocol. Do not select this option unless you are certain the dataset is not used or accessed by a share, application, or other system services.
After locking a dataset, the Encryption screen displays Locked as the Current State and adds the Unlock option.
Unlock on the Encryption widget shows for locked datasets that are not child datasets that inherit encryption from the parent dataset. Unlock opens the Unlock Datasets screen, which is used when you unlock the selected dataset and child datasets simultaneously.
If you select a child dataset of a root (pool-level) dataset or a non-root parent, the screen includes only the one Dataset Passphrase field, and the option to Unlock Child Encrypted Roots is pre-selected.
