Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode

Encryption

  9 minute read.

Last Modified 2022-05-11 09:54 EDT

TrueNAS SCALE offers ZFS encryption for your sensitive data in pools and datasets or zvols.

Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.

Data-at-rest encryption is available with:

The local TrueNAS system manages keys for data-at-rest. Users are responsible for storing and securing their keys. TrueNAS SCALE includes the Key Management Interface Protocol (KMIP).

Pool Manager Encryption

Encryption is for users storing sensitive data. Pool-level encryption does NOT apply to the storage pool or the disks in the pool. It only applies to the root dataset that shares the same name as the pool. Child datasets, or zvols, inherit encryption from the parent dataset unless you overwrite encryption when creating the child datasets or zvols.

Encrypting the root dataset of a new storage pool further increases data security. Create a new pool and check the Encryption box on the Pool Manager screen. The SCALE encryption warning dialog box displays.

PoolEncryptionWarningSCALE

Read the warning, select the Confirm checkbox, and click I UNDERSTAND.

You can select any of the encryption ciphers listed but we recommend using the default encryption cipher.

CiphersSCALE

TrueNAS supports AES Galois Counter Mode (GCM) and Counter with CBC-MAC (CCM) algorithms for encryption. These algorithms provide authenticated encryption with block ciphers.

Encrypting a New Dataset

You can create new datasets within an existing storage pool as either encrypted or non-encrypted. A mix of encrypted and non-encrypted datasets can exist in a single storage pool.

To encrypt a dataset, create a new dataset and after typing a name scroll down to Encryption Options. The Add Dataset configuration screen encryption fields change based on the Encryption Type selected.

Because child datasets inherit settings from the parent dataset, the Add Dataset configuration screen displays with the inherit checkbox already check-marked. This means the inherit checkbox text for the child configuration screen changes based on the parent encryption setting.

Inherit (encrypted) displays for an encrypted parent dataset.

AddDatasetInheritNonEncrypted

Inherit (non-encrypted) displays for a parent dataset not encrypted.

AddDatasetInheritEncrypted

You can change the inherited encrypted/non-encrypted state by unchecking the inherit box. This displays the Encryption checkbox already check-marked.

Click the Inherit (encrypted) or Inherited (non-encrypted) checkbox with the checkmark to turn off inherited encryption settings. The Encryption checkbox displays already check-marked. You can now change this dataset’s encryption settings.

If you uncheck the Encryption checkbox on the Add Dataset configuration screen, the encryption fields no longer display and the new child dataset is not encrypted.

Encryption Options fields change based on the Encryption Type selected. There are two options, Key or Passphrase. The default setting is Key.

AddDatasetEncryptionSelectedkeyType

The Generate Key checkbox defaults to check-marked. If you uncheck it, the Key* text field displays below it. Type the encryption key you want to use into this field.

AddDatasetEncryptionGenerateKeyDeselected

If you change the Encryption Type to Passphrase new passphrase fields display.

AddDatasetEncryptionSelectedPassphraseType

If using the passphrase option choose a complex phrase not easy to guess.

Keep both encryption keys and/or passphrases safeguarded in a secure and protected place. Losing encryption keys or passphrases can result in permanent data loss!

After configuring the new dataset encryption settings and any other settings, click Save. The new dataset displays on the Storage screen below its parent dataset. If you encrypt a dataset, an unlocked icon displays to the right of its name and a locked icon displays to the right of the root dataset name. A child dataset remain unlocked until you lock it.

StorageDatasetList

Changing Dataset Encryption

Click on Encryption Options on the Dataset Action menu to change dataset encryption settings. This option only displays on the menu for datasets with encryption configured. The Edit Encryption Options configuration window displays and window name includes the dataset full path name. In the example used it includes the root dataset tank, the child dataset without encryption tank-child, and finally the selected child-of-the-child dataset with encryption tank-child-encrypt (i.e., tank/tank-child/tank-child-encrypt).

EditEncryptionOptionsWindow

Click the Confirm checkbox to check-mark it and then click Save after making any changes.

Save any change to the encryption key or passphrase, and update your saved passcodes and keys file, and then back up that file.

Locking and Unlocking Datasets

TrueNAS displays a dataset status with icons:

  • Dataset unlocked icon:
  • Dataset locked icon:
The locked icon displayed beside the root dataset after adding a dataset with encryption and also beside a dataset where the pool encryption properties don’t match the root dataset is: UnecryptedPoolEncryptionDatasetIcon
You can only lock and unlock an encrypted dataset when it is secured with a passphrase instead of a key file. Before locking a dataset, verify that it is not currently in use.

Locking a Dataset

Click the dataset’s icon to display the Dataset Actions menu and then click on Lock. The Lock Dataset dialog box displays and includes the dataset full path name.

LockDatasetSCALE

Use the Force unmount option only if you are certain no one is currently accessing the dataset. Click the Confirm checkbox to check-mark it and activate the LOCK button, and then click LOCK. A confirmation window diplays indicating the dataset is locked and the unlock icon changes to a locked icon.

You cannot use locked datasets.

Unlocking a Dataset

To unlock a dataset, click on the icon to display the Dataset Actions menu and then click on Unlock.

UnlockDatasetSCALE

Type the passphrase into the Dataset Passphrase field and click Save. You can unlock all locked child datasets using the same passphrase at the same time by check-marking the Unlock Children checkbox. A confirmation window displays.

UnlockSuccessSCALE

Click CONTINUE to confirm you want to unlock the datasets or CANCEL to exit and keep the datasets locked. A second confirmation window displays confirming the datasets are unlocked. Click CLOSE. TrueNAS displays the dataset with the unlocked icon.

Encrypting a Zvol

Encryption is for securing sensitive data.

You can only encrypting a zvol if you create the zvol from a dataset with encryption.
Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.

Zvols, like datasets, inherit encryption settings from the parent dataset. To encrypt a zvol, select a dataset configured with encryption and then create a new zvol. Next, click the icon to display the Zvol Actions menu.

AddZvolActionsMenuWithEncryptionOptions

If you do not see encryption options on the menu you created the zvol from a dataset not configured with encryption. You can deleted the zvol and start over.

Click Encryption Options. The Edit Encryption Options configuration window displays with the Inherit encryption properties from parent checkbox already check-marked.

EditZvolInheritEncryptionProperties

Like datasets, the window name includes the full path for the zvol. In this example. the root dataset tank, the encrypted child dataset tank-child-encrypt, and finally the zvol name zvol-tank-child-encrypt (i.e., tank/tank-child-encrypt/zvol-tank-child-encrypt).

If not making changes, click the Confirm checkbox to activate the Save button, and then click Save. The zvol is encrypted with settings inherited from its parent.

To change inherited encryption properties, click on the inherit checkbox to uncheck it. Additional configuration option fields display.

EditZvolUncheckInheritEncryption

If Encryption Type is set toKey, type an encryption key into the Key field or check-mark the Generate Key checkbox. If set to Passphrase, type a passphrase at least eight characters long into both the Passphrase and Confirm Passphrase fields. After making any changes, click the Confirm checkbox to check-mark it and activate the Save button, and then click Save. The zvol is now encrypted with settings not inherited from its parent.

Save any change to the encryption key or passphrase, update your saved passcodes and keys file, and back up the file.

Managing Encryption Credentials

There are two ways to manage the encryption credentials, with a key file or passphrase.

Creating a new encrypted pool automatically generates a new key file and prompts users to download it.

Always back up the key file to a safe and secure location.

DownloadEncryptionKeySCALE

To manually back up a root dataset key file, open the pool menu and select Export Key.

ExportKeySCALE

To change the key, click the dataset’s icon and then click on Encryption Options.

EncryptionOptionsButtonSCALE

To enter your custom key click the Generate Key checkbox to uncheck it and display the Key text entry field. Leave the Generate Key check-marked to generate a random encryption key that displays in the Key field. Click Save to complete the process and close the window.

EncryptionOptionsSCALE

To use a passphrase instead of a key file, click the dataset’s icon to display the Dataset Actions menu and then click on Encryption Options. Change the Encryption Type from Key to Passphrase.

EncryptionPassphraseSCALE

Set the rest of the options:

  • Passphrase: A user-defined string at least eight characters long that is required to decrypt the dataset. Type it into the Passphrase and Confirm Passphrase fields.
    The passphrase is the only means to decrypt the information stored in this dataset.

Be sure to create a memorable passphrase or physically secure the passphrase.

  • pbkdf2iters: The number of password-based key derivation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Users must enter a number greater than 100000.

Unlocking a Replicated Encrypted Dataset or Zvol Without a Passphrase

TrueNAS SCALE users should either replicate the dataset/Zvol without properties to disable encryption at the remote end or construct a special json manifest to unlock each child dataset/zvol with a unique key.

  1. Replicate every encrypted dataset you want to replicate with properties.
  2. Export key for every child dataset that has a unique key.
  3. For each child dataset construct a proper json with poolname/datasetname of the destination system and key from the source system like this: {"tank/share01": "57112db4be777d93fa7b76138a68b790d46d6858569bf9d13e32eb9fda72146b"}
  4. Save this file with the extension .json.
  5. On the remote system, unlock the dataset(s) using properly constructed json files.

Uncheck properties when replicating so that the destination dataset is not encrypted on the remote side and does not require a key to unlock.

  1. Go to Data Protection and click ADD in the Replication Tasks window.
  2. Click Advanced Replication Creation.
  3. Fill out the form as needed and make sure Include Dataset Properties is NOT checked.
  4. Click Save.
  1. Go to Storage -> pool/root dataset on the replication system. Click and select Export Key.
  2. Apply the key file or key code to the dataset. You can either download the key file, open that file and change the pool name/dataset to the receiving pool name/dataset, or copy the key code provided in the Key window.
  3. On the receiving pool/dataset: Click next to pool/dataset and select Unlock.
  4. Unlock the dataset. You can either clear the Unlock with Key file checkbox, paste the Key Code into Dataset Key field (if there is a space character at the end of the key, delete the space), or select the downloaded Key file that was edited.
  5. Click Save.
  6. Click Continue.