TrueNAS supports different encryption options for critical data.
Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss. Data-at-rest encryption is available with:
Self Encrypting Drives (SEDs) using OPAL or FIPS 140.2 (Both AES 256) Encryption of specific datasets (AES-256-GCM in TrueNAS 12.0) The local TrueNAS system manages keys for data-at-rest. The user is responsible for storing and securing their keys.
Advanced settings have reasonable defaults in place. A warning message displays for some settings advising of the dangers of making changes. Changing advanced settings can be dangerous when done incorrectly. Use caution before saving changes.
Make sure you are comfortable with ZFS, Linux, and system configuration, backup, and restoration before making any changes.
The Advanced settings screen provides configuration options for the console, syslog, audit, kernel, sysctl, storage (system dataset pool), replication, WebSocket sessions, cron jobs, init/shutdown scripts, allowed IP addresses, isolated GPU device(s), self-encrypting drives, and global two-factor authentication.
The Devices screen lists VDEVS and disks configured for the selected pool. Go to Storage and click on Manage Devices on the Topology widget to view the Devices screen.
Figure 1: Devices Data VDEV Unexpanded Click anywhere on the VDEV to see the drives included in it, and the ZFS Info widget for that VDEV.
Figure 2: Devices Mirror VDEV Expanded Click anywhere on a drive to see the drive widgets.
Supported Specifications Legacy interface for older ATA devices (Not recommended for security-critical environments!) TCG Opal 1 legacy specification TCG OPAL 2 standard for newer consumer-grade devices TCG Opalite which is a reduced form of OPAL 2 TCG Pyrite Version 1 and Version 2 are similar to Opalite, but with hardware encryption removed Pyrite provides a logical equivalent of the legacy ATA security for non-ATA devices. Only the drive firmware protects the device.
TrueNAS version 11.1-U5 introduced Self-Encrypting Drive (SED) support.
Supported Specifications Legacy interface for older ATA devices (Not recommended for security-critical environments!) TCG Opal 1 legacy specification TCG OPAL 2 standard for newer consumer-grade devices TCG Opalite which is a reduced form of OPAL 2 TCG Pyrite Version 1 and Version 2 are similar to Opalite, but with hardware encryption removed Pyrite provides a logical equivalent of the legacy ATA security for non-ATA devices.
Advanced settings have reasonable defaults in place. A warning message displays for some settings advising of the dangers of making changes. Changing advanced settings can be dangerous when done incorrectly. Use caution before saving changes.
Make sure you are comfortable with ZFS, Linux, and system configuration, backup, and restoration before making any changes.
The Self-Encrypting Drive(s) widget on the System > Advanced screen allows you set the user and global SED password in SCALE.
TrueNAS CORE
TrueNAS Enterprise
TrueNAS SCALE
Compare Editions
TrueCommand
Software Status
FreeNAS
Compare Systems
F-Series
M-Series
X-Series
R-Series
Mini Series
Download TrueNAS CORE
Download TrueNAS SCALE
Get TrueNAS Enterprise
Where to Buy