(408) 943-4100               V   Commercial Support Toggle between Light and Dark mode

Encryption

  4 minute read.

Last Modified 2021-09-08 09:59 EDT

TrueNAS SCALE offers ZFS encryption for your sensitive data in pools and datasets.

Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.

Data-at-rest encryption is available with:

The local TrueNAS system manages keys for data-at-rest. Users are responsible for storing and securing their keys. The Key Management Interface Protocol (KMIP) is included in TrueNAS SCALE

Encrypting a Storage Pool

Encrypting the root dataset of a new storage pool further increases data security. Create a new pool and check the Encryption box in the Pool Manager.

EncryptionWarningSCALE

Read the warning, check Confirm, and click I Understand.

We recommend using the default encryption cipher, but other ciphers are available.

CiphersSCALE

TrueNAS supports AES Galois Counter Mode (GCM) and Counter with CBC-MAC (CCM) algorithms for encryption. These algorithms provide authenticated encryption with block ciphers.

Encrypting a New Dataset

Users can encrypt new datasets within an existing storage pool without having to encrypt the entire storage pool. To encrypt a single dataset, go to Storage, open the next to an existing dataset, and click Add Dataset.

AddDatasetFormSCALE

Look at the Encryption Options and, when the parent dataset is unencrypted, uncheck Inherit (non-encrypted).

EncryptionOptionsSCALE

Next, choose which Encryption Type of authentication to use: a Key or a Passphrase. The remaining options are the same as a new pool. Encrypted datasets show additional icons in the Storage list.

Locking and Unlocking Datasets

TrueNAS displays a dataset’s status with an icon:

  • Dataset unlocked icon:
  • Dataset locked icon:

Encrypted datasets can only be locked and unlocked if they use a passphrase instead of a key. Before locking a dataset, verify that it is not currently in use, then click   (Dataset Actions) and Lock.

LockDatasetSCALE

Use the Force unmount option only if you are certain no one is currently accessing the dataset. After locking a dataset, the unlock icon changes to a locked icon. You cannot use locked datasets.

To unlock a dataset, click and Unlock.

UnlockDatasetSCALE

Enter the passphrase and click Submit. If there are locked child datasets that use the same passphrase, you can unlock them all at the same time by checking Unlock Children. Confirm unlocking the datasets and wait for the dialog confirmation.

UnlockSuccessSCALE

TrueNAS will display the dataset with an unlocked icon.

Encryption Management

There are two ways to manage the encryption credentials: with Key Files or Passphrases:

Key Files

Creating a new encrypted pool automatically generates a new key file and prompts users to download it. Always back up the key file to a safe and secure location.

DownloadEncryptionKeySCALE

To manually back up a root dataset keyfile, open the pool menu and select Export Key. Then, enter the root password to authorize the export.

ExportKeySCALE

To change the key, click the dataset and Encryption Options.

EncryptionOptionsButtonSCALE

Enter your custom key or check Generate Key to generate a random encryption key after clicking Save.

EncryptionOptionsSCALE

Passphrases

To use a passphrase instead of a keyfile, click the dataset and Encryption Options. Change the Encryption Type from Key to Passphrase.

EncryptionPassphraseSCALE

Set the rest of the options:

  • Passphrase : User-defined string that decrypts the dataset. Passphrases must be longer than eight characters.
    The passphrase is the only means to decrypt the information stored in this dataset. Be sure to create a memorable passphrase or physically secure the passphrase.
  • pbkdf2iters : Number of password-based key derivation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Users must enter a number greater than 100000.

Unlocking a Replicated Encrypted Dataset or Zvol Without a Passphrase

TrueNAS SCALE users should either replicate the dataset/Zvol without properties to disable encryption at the remote end or construct a special json manifest to unlock each child dataset/zvol with a unique key.

  1. Replicate every encrypted dataset you want to replicate with properties.
  2. Export key for every child dataset that has a unique key.
  3. For each child dataset construct a proper json with poolname/datasetname of the destination system and key from the source system like this: {"tank/share01": "57112db4be777d93fa7b76138a68b790d46d6858569bf9d13e32eb9fda72146b"}
  4. Save this file with the extension .json.
  5. On the remote system, unlock the dataset(s) using properly constructed json files.

Uncheck properties when replicating so that the destination dataset will not be encrypted on the remote side and will not require a key to unlock.

  1. Go to Data Protection and click ADD in the Replication Tasks window.
  2. Click Advanced Replication Creation.
  3. Fill out the form as needed and make sure Include Dataset Properties is NOT checked.
  4. Click Save.