4 minute read.Last Modified 2021-09-08 09:59 EDT
TrueNAS SCALE offers ZFS encryption for your sensitive data in pools and datasets.
Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.
Data-at-rest encryption is available with:
- Self Encrypting Drives (SEDs) using OPAL or FIPS 140.2 (Both AES 256)
- Encryption of specific datasets (AES-256-GCM)
The local TrueNAS system manages keys for data-at-rest. Users are responsible for storing and securing their keys. The Key Management Interface Protocol (KMIP) is included in TrueNAS SCALE
Encrypting the root dataset of a new storage pool further increases data security. Create a new pool and check the Encryption box in the Pool Manager.
Read the warning, check Confirm, and click I Understand.
We recommend using the default encryption cipher, but other ciphers are available.
Users can encrypt new datasets within an existing storage pool without having to encrypt the entire storage pool. To encrypt a single dataset, go to Storage, open the more_vert next to an existing dataset, and click Add Dataset.
Look at the Encryption Options and, when the parent dataset is unencrypted, uncheck Inherit (non-encrypted).
Next, choose which Encryption Type of authentication to use: a Key or a Passphrase. The remaining options are the same as a new pool. Encrypted datasets show additional icons in the Storage list.
TrueNAS displays a dataset’s status with an icon:
- Dataset unlocked icon: lock_open
- Dataset locked icon: lock
Encrypted datasets can only be locked and unlocked if they use a passphrase instead of a key. Before locking a dataset, verify that it is not currently in use, then click (Dataset Actions) and Lock.
Use the Force unmount option only if you are certain no one is currently accessing the dataset. After locking a dataset, the unlock icon changes to a locked icon. You cannot use locked datasets.
To unlock a dataset, click more_vert and Unlock.
Enter the passphrase and click Submit. If there are locked child datasets that use the same passphrase, you can unlock them all at the same time by checking Unlock Children. Confirm unlocking the datasets and wait for the dialog confirmation.
TrueNAS will display the dataset with an unlocked icon.
There are two ways to manage the encryption credentials: with Key Files or Passphrases:
Creating a new encrypted pool automatically generates a new key file and prompts users to download it. Always back up the key file to a safe and secure location.
To manually back up a root dataset keyfile, open the pool settings menu and select Export Key. Then, enter the root password to authorize the export.
To change the key, click the dataset more_vert and Encryption Options.
Enter your custom key or check Generate Key to generate a random encryption key after clicking Save.
To use a passphrase instead of a keyfile, click the dataset more_vert and Encryption Options. Change the Encryption Type from Key to Passphrase.
Set the rest of the options:
- Passphrase : User-defined string that decrypts the dataset. Passphrases must be longer than eight characters.
The passphrase is the only means to decrypt the information stored in this dataset. Be sure to create a memorable passphrase or physically secure the passphrase.
- pbkdf2iters : Number of password-based key derivation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Users must enter a number greater than 100000.
TrueNAS SCALE users should either replicate the dataset/Zvol without properties to disable encryption at the remote end or construct a special json manifest to unlock each child dataset/zvol with a unique key.
- Replicate every encrypted dataset you want to replicate with properties.
- Export key for every child dataset that has a unique key.
- For each child dataset construct a proper json with poolname/datasetname of the destination system and key from the source system like this:
- Save this file with the extension
- On the remote system, unlock the dataset(s) using properly constructed
Uncheck properties when replicating so that the destination dataset will not be encrypted on the remote side and will not require a key to unlock.
- Go to Data Protection and click ADD in the Replication Tasks window.
- Click Advanced Replication Creation.
- Fill out the form as needed and make sure Include Dataset Properties is NOT checked.
- Click Save.