TrueNAS Hardening Guide 2026

Cyber Security & Hacking
1

TrueNAS Hardening Guide: Step-by-Step Security

This guide covers the essential steps for securing your TrueNAS deployment and ensuring your data remains resilient against both hardware failure and malicious actors.

1. User Management, SSH, and Web Interface

On setup TrueNAS had you create an alternative admin but you can create others as needed because each admin should have their own login. You can also create read only or share management admin log in’s. New admins must have a home dataset on the pool. Simply creating a dataset called home will work for that.

  • Create a Custom Admin:

    • Menu: Credentials -> Users -> add

    • Create a new user and assign them the choose their TruerNAS Access role

    • Add SSH key if needed

    • Choose the home on /mnt/ and check the Create Home Directory box and leave the permissions box checked

    • These permissions also apply to API keys created under those users

  • Disable root User (if enabled)

    • root was the default user for older installs and does not get disabled with standard in place upgrades
    • Menu: Credentials > Users
    • Create a new admin account
    • Once your new custom admin is verified and working, edit the root and admin accounts to disable their passwords. This prevents brute-force attempts on the most targeted usernames.

  • Enforce Two-Factor Authentication (2FA):

    • Menu: System Settings > Advanced > Two-Factor Authentication

    • Enable Global 2FA. This forces all UI logins to require a TOTP code (e.g., Google Authenticator or Aegis).

  • Console Protection:

    • Menu: System Settings > Advanced

    • Disable “Show Text Console without Password Prompt.” This prevents someone with physical access from using the monitor/keyboard to reset your admin password or reconfigure networking.

2. Network Hardening

Control how and where your TrueNAS instance communicates on the wire.

  • Web Interface Binding:

    • Menu: System > General Settings > GUI

    • Bind web interface to management interface

  • HTTP to HTTPS Redirect:

    • Menu: System > General Setting > GUI

    • Ensure “Web Interface HTTP → HTTPS Redirect” is enabled so all management traffic is encrypted.

  • Allowed IP Addresses:

    • Menu: System > Advnaced Settings > Allowed IP Addresses

    • Use the “Allowed IP Addresses” field to whitelist only specific management workstations or subnets that are allowed to access the login page.

  • Disable Unused Services:

    • Menu: System > Services

    • Audit your services. If you aren’t using iSCSI, NFS, or FTP, ensure they are toggled OFF to reduce the attack surface.

  • Bind Services To Interfaces

    • Menu: System > Services

    • Do not let services listen on all available ports. Bind them only to the interfaces where they will be used

  • Set Host Allow and or Deny for Shares

    • Menu: Shares

    • Each share can be set to allow or deny based on IP

3. Secure SSH Configuration

If remote shell access is required, eliminate password-based vulnerabilities.

  • Public Key Authentication:

    • Menu: Credentials > Users > [Your User] > Authentication

    • Generate an SSH key pair on your local machine and upload the Public Key to your user profile.

  • Disable Password Auth & Root SSH:

    • Menu: System > Services > SSH (Settings)

    • Uncheck “Allow Password Authentication.”

    • Ensure “Allow SSH Password Login for Root” is disabled. This forces the use of cryptographic keys.

4. Data Protection & Maintenance

Hardening is useless if the data is lost to hardware failure or accidental deletion.

  • Dataset Encryption:

    • Menu: Datasets > [Add/Edit Dataset]

    • This is done at the creation of the dataset and it can not be converted after creation to or from being encrypted

    • Use AES-256-GCM encryption for sensitive data.

    • Full Video on TrueNAS Encryption https://youtu.be/Ic8vZx3QBew?si=PO8-X68V8kPpg1m-

    • Pro Tip: Do not set the “Inherit” flag if you want individual control over which datasets remain locked until manually authorized after a reboot.

  • Automated ZFS Snapshots:

  • Backup TrueNAS Configuration:

    • Menu: System > Advanced Settings

    • Your ZFS pools hold your data, but your Config File holds your users, permissions, and network settings. Download a fresh backup of this file after every major configuration change.

  • ZFS Scrub

    • Schedule a pool Scrub every 2–4 weeks to detect and repair data corruption (bit rot).
2 Likes
TrueNAS 2026 Hardening Guide: Step-by-Step Security [YouTube Release]