TrueNAS encryption, backups, etc

Hello,

Thanks for all the videos about TrueNAS @LTS_Tom. I’ve really enjoyed it as a NAS, and it’s helped me move completely off the cloud into my own storage solution.

I’ve watched a few of your videos and would like to confirm my understanding.

I also have some questions about encryption. I’m a bit scared of encryption because of potential data loss.

However, I am diligent with a password manager and generally keep all my passwords saved. I’d like to confirm my understanding and ask a few questions:

Encryption

  1. If I encrypt my datasets, what is the actual risk of data loss from corruption, forgotten keys, or other errors?

  2. My current share is unencrypted. To enable encryption, do I need to create a new encrypted ZFS dataset and copy the data into it?

ZFS Replication

  1. I have a replication task that copies my primary pool to another pool on the same TrueNAS box. I’ve now set up a second TrueNAS at a remote site, accessible over WireGuard. Replication transfers only snapshots, correct? What is the process to continuously copy the Live data so it’s available on the other device just like any other data?

  2. If so, does that mean the replicated data is not “live” and cannot be modified on the target?

  3. Also, why is this a backup? Do snapshots need to have the live data to recover?

  1. There are always risks but the biggest is losing the keys
  2. Yes
  3. ZFS replication is only the snapshots, you can use tools like Syncthing for real time
  4. Replicated data is the last snapshot
  5. Not clear on what you are asking, replicated data is the last snapshot

Thank you for the quick response! What confused me was the common phrase “Snapshots are not a backup.” I now understand it means snapshots on the same system or pool are not a backup, but replicating those snapshots to another system does create one.

Regarding upgrading my encryption:

Implementing encryption protects me from physical theft, keeps data on failed drives inaccessible (but also unrecoverable), and allows for safe hard‑drive disposal. When the system is powered off, the data remains encrypted. However, if someone accesses a ZFS dataset while it is unlocked, the data is as exposed as if it were never encrypted?

Can I create an encrypted zvol on one system, replicate the unencrypted zvol to this unlocked encrypted zvol on the other device, and then recover the data onto a new zvol that imports the key from the replicated encrypted zvol?

Also, regarding the auto-unlock on reboot the only option for community is using the keys method but this keeps the key in memory.

Yes

ZVOL is a block device, I am not clear what you are asking.

The keys are stored in the OSboot drive and unlocked each boot.

Can I create an encrypted zvol on one system, replicate the unencrypted zvol to this unlocked encrypted zvol on the other device, and then recover the data onto a new zvol that imports the key from the replicated encrypted zvol?

Lol, you’re right. This article was recommended to me and it was very helpful in refining my understanding.

My plan to implement encryption. Note that everything on the unencrypted pool (A) is a dataset. I’d create an encrypted pool on TrueNAS (B) then do a “Full Filesystem Replication” and “inherit encryption” replication task from my unencrypted pool (A) to my encrypted pool (B). I’d do a sanity check that the data is intact and then delete my unencrypted pool on (A).

I’d create a new encrypted pool on (A) and then create a replication task on the encrypted system (B) also with “Full Filesystem Replication” and “inherit encryption” enabled to replicate to the newly created encrypted pool on (A). I’d export and save each pools unique key.

Would this work to enable encryption on a previously unencrypted pool?

This method produces two separate keys on each TrueNAS which I can change to be the same key if i wanted in the GUI tools.

I am not sure if that is supported as I have never tried. I have a video breaking down encryption in TrueNAS

Thanks. Yeah, I watched that video! It really helped my understanding. I’m gonna post in the TrueNAS forums and see what they say. I’ll follow up here later with what they say and if i could get it working or not.

@LTS_Tom

I had a discussion with one of the MVPs on the TrueNAS forum and he gave me direction on my idea about upgrading to encrypted storage

He also guided me to posts where he outlined best practice for the architecture of your datasets when implementing encryption to avoid potential headaches in the future with replication and other issues revolving around encryption.

What he recommended was never use your main true-root dataset that is created in TrueNAS after you setup your vdevs.

After creating a pool immediately create new pseudo-roots then store your data under these pseudo-roots in their own datasets. This stops a lot of headaches in the future apparently with replication and encryption, etc. I’m not sure what it helps with, but i plan to follow his guidance.

Here is the post on the forum:

Here is his method of best practice for architecting your datasets for the least amount of headaches revolving encryption and replication.

SiteA-RealRoot   <----- TRUE-ROOT - NO-DATA - NOT ENCRYPTED     
│                                                                                
├── SiteA-pseudo-root1  <-- PSEUDO-ROOT - NO DATA - ENCRYPTED
│    ├── SiteA-VMStorage    <-- ZVOL - STORE DATA HERE                     
│    ├── SiteA-Misc.        <-- ZVOL - STORE DATA HERE                               
│    └── SiteA-Misc.        <-- ZVOL - STORE DATA HERE                              
│                                                                                        
└── SiteA-pseudo-root2    <-- PSEUDO-ROOT - NO DATA - ENCRYPTED  
     ├── SiteA-SMB          <-- DATA - STORE DATA HERE           
     └── SiteA-Syncthing    <-- DATA - STORE DATA HERE 

Here is the longer post from that user on the guidance about using pseudo-root datasets:

Thanks for the videos as always, @LTS_Tom !

1 Like

The next thing that I learned is that, regardless of how it appears in the GUI, nested unencrypted datasets remain unencrypted and accessible even when the root of that dataset is locked. It’s not recommended to keep unencrypted datasets beneath an encrypted-root dataset, as this can break things down the road.