Thanks for all the videos about TrueNAS @LTS_Tom. I’ve really enjoyed it as a NAS, and it’s helped me move completely off the cloud into my own storage solution.
I’ve watched a few of your videos and would like to confirm my understanding.
I also have some questions about encryption. I’m a bit scared of encryption because of potential data loss.
However, I am diligent with a password manager and generally keep all my passwords saved. I’d like to confirm my understanding and ask a few questions:
Encryption
If I encrypt my datasets, what is the actual risk of data loss from corruption, forgotten keys, or other errors?
My current share is unencrypted. To enable encryption, do I need to create a new encrypted ZFS dataset and copy the data into it?
ZFS Replication
I have a replication task that copies my primary pool to another pool on the same TrueNAS box. I’ve now set up a second TrueNAS at a remote site, accessible over WireGuard. Replication transfers only snapshots, correct? What is the process to continuously copy the Live data so it’s available on the other device just like any other data?
If so, does that mean the replicated data is not “live” and cannot be modified on the target?
Also, why is this a backup? Do snapshots need to have the live data to recover?
Thank you for the quick response! What confused me was the common phrase “Snapshots are not a backup.” I now understand it means snapshots on the same system or pool are not a backup, but replicating those snapshots to another system does create one.
Regarding upgrading my encryption:
Implementing encryption protects me from physical theft, keeps data on failed drives inaccessible (but also unrecoverable), and allows for safe hard‑drive disposal. When the system is powered off, the data remains encrypted. However, if someone accesses a ZFS dataset while it is unlocked, the data is as exposed as if it were never encrypted?
Can I create an encrypted zvol on one system, replicate the unencrypted zvol to this unlocked encrypted zvol on the other device, and then recover the data onto a new zvol that imports the key from the replicated encrypted zvol?
Also, regarding the auto-unlock on reboot the only option for community is using the keys method but this keeps the key in memory.
Can I create an encrypted zvol on one system, replicate the unencrypted zvol to this unlocked encrypted zvol on the other device, and then recover the data onto a new zvol that imports the key from the replicated encrypted zvol?
Lol, you’re right. This article was recommended to me and it was very helpful in refining my understanding.
My plan to implement encryption. Note that everything on the unencrypted pool (A) is a dataset. I’d create an encrypted pool on TrueNAS (B) then do a “Full Filesystem Replication” and “inherit encryption” replication task from my unencrypted pool (A) to my encrypted pool (B). I’d do a sanity check that the data is intact and then delete my unencrypted pool on (A).
I’d create a new encrypted pool on (A) and then create a replication task on the encrypted system (B) also with “Full Filesystem Replication” and “inherit encryption” enabled to replicate to the newly created encrypted pool on (A). I’d export and save each pools unique key.
Would this work to enable encryption on a previously unencrypted pool?
This method produces two separate keys on each TrueNAS which I can change to be the same key if i wanted in the GUI tools.
Thanks. Yeah, I watched that video! It really helped my understanding. I’m gonna post in the TrueNAS forums and see what they say. I’ll follow up here later with what they say and if i could get it working or not.
