TrueNAS Scale encryption keys on usb-stick

DerTom · February 4, 2024, 3:12pm

Hi!

I’m trying to get TrueNAS Scale (23.10.1.3) running as my backup-server.

Doing so, I had to find out, that there is no default way to have the encryption key for the pool not on the server. I would like to have it at an usb-stick and later on at another server.

Contacting TrueNAS I was told, that they do offer this functionality with the enterprise-license only. Something that I will not get for my homelab.

Asking the TrueNAS-Community/-forum, I did not get any response. I cannot believe, that you have to have the keys at the server only. There has to be a way to have it at an external medium, just like an usb-stick I do need at boot time to have the key available for the system but can be removed after boot process finished.

I tried to ask Mr. Google but did not found any solution. Before making the decision to use another NAS-solution, I would like to be sure that there is no other way.

My best wishes from Germany

Kind regards,

tom

tvcvt · February 4, 2024, 3:52pm

You should be able to do this, but you’ll have to set up your pool manually. Instead of searching for solutions for TrueNAS, try doing the search for ZFS solutions. You should be able to create the pool and it will show up in TrueNAS.

LTS_Tom · February 4, 2024, 5:00pm

My solution is to you a password on ZFS datasets that I wanted encrypted. By doing this if anyone were too physically take my NAS the data would not be retrievable without that password.

DerTom · February 5, 2024, 6:44am

Hi tvcvt!

Will try it when I’m back at the server.

Thank you!

DerTom · February 5, 2024, 6:46am

Hi LTS_Tom!

I’m thinking about an encrypted usb-stick with fingerprint sensor for the final layer of security.

DerTom · February 7, 2024, 5:00pm

I’m missing something…

What have I done:
#1 Created a zfs-pool at an usb-stick which contains the encryption key with the TrueNAS gui.
#2 Edited /etc/fstab to mount usb-stick on boot.
#3 Using cli I created the encrypted zpool and the first dataset
#4 Exported the generated encrypted pool and rebooted the machine
#5 Imported the encrypted pool by the TrueNAS gui
=> Pool and Dataset are listed under ‘Datasets’ but are both marked as ‘Locked’ for the pool and ‘Locked by ancestor’ for the Dataset.

How do I get TrueNAS to use the ‘new’ generated key for the pool (usb-stick). The button ‘Unlock’ is showing the option for uploading from my PC which would result in an key being stored at the server itself, what I don’t want to happen.

tvcvt · February 7, 2024, 7:47pm

I think what you’re after is the zfs load-key command. You’ll need to create a script that calls that command and points it at your USB stick and ZFS pool. Run that script at boot and you should be in good shape. Here’s the man page for zfs load-key.

EDIT: I’m sure it doesn’t need to be said, but make sure you have a backup of the key somewhere. Without it, that pool is never getting decrypted.

DerTom · February 8, 2024, 2:25pm

I had to add two commands (load-key and mount) but this seems to do the job. The pools can be used.

How do I get you a nice cold beer - as a little thank you!?

tvcvt · February 8, 2024, 10:15pm

Hey, I’m glad it worked out. Next beer I open, I’ll imagine it’s from you!