I’m not using TrueNAS but OpenSuse Leap 15.5 with OpenZFS.
My goal is to created an encrypted dataset that is unmounted and unavailable until it is manually mounted and the passphrase is entered.
I created an encrypted dataset with the following:
zfs create -o encryption=aes-256-ccm -o keyformat=passphrase zpool/enc
To test it, I was able to create a test file /zpool/enc/test.txt and read and write from it while the dataset was unmounted.
I then rebooted the system and was still able to read and write to /zpool/enc. I mounted the dataset with
zfs -l -a
The system prompted me for a passphrase, I entered it and the dataset mounted. I created another file /zpool/enc/test2.txt and then rebooted.
Prior to mounting the dataset I was able to read and write /zpool/enc/test2.txt and read and write from the directory as whole.
It appears to me that this dataset is mounting at boot, and/or it doesn’t seem to make any difference whether it is mounted or not. I must be doing something wrong here.
When I run
zfs get all zpool/enc
The relevant properties are when the dataset is unmounted are:
mounted no -
encryption aes-256-ccm -
keylocation prompt local
keyformat passphrase -
keystatus unavailable -
When the datatset is unmounted and the keystatus is unavailable I can read and write files that were written to it when it was previously mounted. What am I doing wrong?