A TrueNAS dataset is a file system within a data storage pool. Datasets can contain files, directories, and child datasets, and have individual permissions or flags.

Datasets can also be encrypted. In TrueNAS 22.12.3 or later, the TrueNAS UI requires encryption for child datasets created in encrypted parent datasets, but you can change the encryption type from key to passphrase. You can create an encrypted dataset if the parent is not encrypted and set the type as either key or passphrase.

TrueNAS provides basic permissions settings and an access control list (ACL) editor to define dataset permissions. ACL permissions control the actions users can perform on dataset contents and shares.

An Access Control List (ACL) is a set of account permissions associated with a dataset that applies to directories or files within that dataset. TrueNAS uses ACLs to manage user interactions with shared datasets. When you create a dataset, TrueNAS sets the ACL type based on the dataset preset, but you must configure the ACL before it becomes active.

TrueNAS offers two ACL types: POSIX and NFSv4. The Dataset Preset setting on the Add Dataset screen determines the type of ACL for the dataset. Datasets created with the Generic dataset preset have the ACL type set to a POSIX (Unix) ACL. Datasets created with the SMB dataset preset have the ACL type set to an NFSv4 ACL. SMB shares require the more robust configurations in an NFSv4 ACL. For most cases, a POSIX ACL is all you need. If you want the more granular ACL controls in the NFSv4 ACL, you can create a dataset using the SMB dataset preset without creating an SMB share, or you can use the ACL Type option on the Add Dataset > Advanced Options screen to change a dataset using the Generic preset from a POSIX to NFSv4 ACL. For a more in-depth explanation of ACLs and configurations in TrueNAS, see our ACL Primer.

TrueNAS offers ZFS encryption for your sensitive data in datasets and zvols.

Data-at-rest encryption is available with:

• Self Encrypting Drives (SEDs) using OPAL or FIPS 140.2 (Both AES 256)
• Encryption of specific datasets (AES-256-GCM)

The local TrueNAS system manages keys for data-at-rest. Users are responsible for storing and securing their keys. TrueNAS includes the Key Management Interface Protocol (KMIP).

TrueNAS supports dataset and zvol encryption to secure stored data at rest.

TrueNAS allows setting data or object quotas for user accounts and groups cached on, or connected to the system. You can use the quota settings on the Add Dataset or Edit Dataset configuration screens in the Advanced Options settings to set up alarms and set aside more space in a dataset. See Adding and Managing Datasets for more information.

To manage the dataset overall capacity, use Edit on the Dataset Space Management widget to open the Capacity Settings screen.

TrueNAS provides ACL-based permission controls for datasets to manage user and group access to stored data.

TrueNAS quota settings limit how much storage space a dataset, user, or group can consume.

The Capacity Settings screen allows users to set quotas for the selected dataset and for the selected dataset and any of the child datasets for the selected dataset apart from the dataset creation process.

The settings on the Capacity Settings screen are the same as those in the quota management section on the Add Dataset > Advanced Options screen.

TrueNAS offers two Access Control List (ACL) types: POSIX (the TrueNAS default) and NFSv4. For a more in-depth explanation of ACLs and configurations in TrueNAS, see our ACL Primer.

The Dataset Preset option on the Add Dataset screen sets the ACL type applied for SMB shares, apps, multi-protocol shares, and general-use datasets.

The ACL Type setting in the Advanced Options on both the Add Dataset and Edit Dataset screens, determines the ACL presets available on the ACL Select a preset ACL window. It also determines which permissions editor screens you see after you click the edit edit icon on the Dataset Permissions widget.

Datasets, root, non-root parent, and child, or zvols with encryption include the Encryption widget in the set of dataset widgets shown on the Datasets screen.

The Datasets tree table includes lock icons and descriptions that indicate the encryption state of datasets.

Icon	State	Description
	Locked	Displays for locked encrypted root, non-root parent and child datasets.
	Unlocked	Displays for unlocked encrypted root, non-root parent and child datasets.
	Locked by ancestor	Displays for locked datasets that inherit encryption properties from the parent.
	Unlocked by ancestor	Displays for unlocked datasets that inherit encryption properties from the parent.

The Encryption option on the Pool Manager screen sets encryption for the entire pool.