TrueNAS SCALETrueNAS SCALE Nightly Development Documentation
This content follows experimental early release software. Use the Product and Version selectors above to view content specific to a stable software release.

Storage Encryption

TrueNAS SCALE offers ZFS encryption for your sensitive data in pools and datasets or Zvols.

Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.

Data-at-rest encryption is available with:

The local TrueNAS system manages keys for data-at-rest. Users are responsible for storing and securing their keys. TrueNAS SCALE includes the Key Management Interface Protocol (KMIP).

Pool and Dataset Encryption

Encryption is for users storing sensitive data. Pool-level encryption does not apply to the storage pool or the disks in the pool. It only applies to the root dataset that shares the same name as the pool. Child datasets or zvols inherit encryption from the parent dataset.

TrueNAS automatically generates a root dataset when you create a pool. This root dataset inherits the encryption state of the pool based on the Encryption option on the Pool Manager screen when you create the pool. Because encryption is inherited from the parent, the data within that pool is encrypted. Selecting the Encryption option for the pool (root dataset) forces encryption for all datasets and Zvols created within the root dataset.

As of SCALE 22.12.3, you can no longer create an unencrypted dataset within an encrypted pool or dataset. This change does not affect existing datasets, only new datasets created in release 22.12.3 and later.

Leaving the Encryption option on the Pool Manager screen cleared creates an unencrypted pool root dataset. You can create both unencrypted and encrypted datasets within this pool (root dataset), but if you create an encrypted dataset within an unencrypted root dataset any dataset or Zvol created within that encrypted dataset are automatically encrypted. If you have only one pool on your system, do not select the Encryption option for this pool.

Can I change dataset encryption?

You can change the type of encryption of an encrypted dataset (root or child dataset) from key to passphrase, but you cannot change an encrypted dataset to an unencrypted dataset after you save it.

You can create an encrypted dataset on an unencrypted pool. When creating a new dataset, changing the inheritance settings presents the option to change the type of encryption or to change from unencrypted to encrypted.

Can I unencrypt my data? Yes, you can move encrypted data to an unencrypted pool or dataset using either rsync or replication. You can also move data from an unencrypted pool or dataset to an encrypted dataset using rsync or replication.

If your system loses power or you reboot the system, the datasets, Zvols, and all data in an encrypted pool automatically lock to protect the data in that encrypted pool.

Encryption Visual Cues

Dataset encryption can be visually confusing in SCALE. SCALE uses different lock-type icons to indicate the encryption state of a root, parent, or child dataset in the tree table on the Datasets screen. Each icon displays text labels that explain the state of the dataset when you hover the mouse over the icon.

The Datasets tree table includes lock icons and descriptions that indicate the encryption state of datasets.

IconStateDescription
DatasetLockedEncryptionIconLockedDisplays for locked encrypted root, non-root parent and child datasets.
DatasetUnlockedEncryptionIconUnlockedDisplays for unlocked encrypted root, non-root parent and child datasets.
DatasetLockedByAncestorEncryptionIconLocked by ancestorDisplays for locked datasets that inherit encryption properties from the parent.
DatasetUnlockedbyAncestorEncryptIconUnlocked by ancestorDisplays for unlocked datasets that inherit encryption properties from the parent.

If a dataset inherits encryption, the locking icons change to a different type and the mouse hover-over label indicates the encryption is Locked by ancestor or Unlocked by ancestor.

Each encrypted dataset includes the ZFS Encryption widget on the Datasets screen when you select the dataset.

The dataset encryption state is unlocked until you lock it using the Lock option on the ZFS Encryption widget. After locking the dataset, the icon on the tree table changes to the locked version and the ZFS Encryption widget displays the Unlock option.

Inherit Encryption

Datasets inherit encryption, which means they keep the encryption settings of the parent dataset whether the parent is the root dataset or a non-root parent dataset with child datasets nested under it.

You can change inherited settings for a dataset when you add the dataset using the Edit option on the ZFS Encryption widget.

Implementing Encryption

Before creating a pool with encryption make sure you want to encrypt all datasets and data stored on the pool.

You cannot change a pool from encrypted to non-encrypted. You can only change the dataset encryption type (key or passphrase) for the encrypted pool.
If your system does not have enough disks to allow you to create a second storage pool, we recommend that you not use encryption at the pool level. You can mix encrypted and unencrypted datasets on an unencrypted pool.
All pool-level encryption is key-based encryption. When prompted, download the encryption key and keep it stored in a safe place where you can back up the file. You cannot use passphrase encryption at the pool level.

Adding Encryption to a New Pool

Go to Storage and click Create Pool on the Storage Dashboard screen. You can also click Add to Pool on the Unassigned Disks widget and select the Add to New radio button to open the Pool Manager screen.

Enter a name for the pool, then add the disks to the Data VDEV. Select Encryption next to Name. A warning dialog displays.

Read the warning, select Confirm, and then click I UNDERSTAND.

A second dialog opens where you click Download Encryption Key for the pool encryption key.

Download Encryption Key on Pool Manager
Figure 1: Download Encryption Key on Pool Manager

Click Done to close the window. Move the encryption key to safe location where you can back up the file.

Click Save to create the pool with encryption.

Adding Encryption to a New Dataset

To add encryption to a new dataset, go to Datasets.

First, select the root or other dataset on the tree table where you want to add a dataset. The default dataset selected when you open the Datasets screen is the root dataset of the first pool on the tree table list. If you have more than one pool and want to create a dataset in a pool other than the default, select the root dataset for that pool or any dataset under the root where you want to add the new dataset.

Click Add Dataset to open the Add Dataset screen.

To add a dataset, enter a value in Name.

Next, select the type of Case Sensitivity and Share Type for the dataset.

To add encyrption to a dataset, select Inherit under Encryption Options to clear the checkbox. This displays the Encryption checkbox already preselected.

Add Dataset Encryption Options Clear Inherit
Figure 2: Add Dataset Encryption Options Clear Inherit

Now decide if you want to use the default encryption type key and if you want to let the system generate the encryption key. To use key encryption and your own key, clear the Generate key checkbox to display the Key field. Enter your key in this field.

Add Key Encryption
Figure 3: Add Key Encryption

To change to passphrase encryption, click the down arrow and select Passphrase from the Encryption Type dropdown.

Add Passphrase Encryption
Figure 4: Add Passphrase Encryption

You can select the encryption algorithm to use from the Encryption Standard dropdown list of options or use the recommended default. Leave the default selection if you do not have a particular encryption standard you want use.

What are these options? TrueNAS supports AES Galois Counter Mode (GCM) and Counter with CBC-MAC (CCM) algorithms for encryption. These algorithms provide authenticated encryption with block ciphers.

The passphrase must be longer than 8 and less than 512 characters.
Keep encryption keys and/or passphrases safeguarded in a secure and protected place. Losing encryption keys or passphrases can result in permanent data loss!

Changing Dataset Encryption

You cannot add encryption to an existing dataset. You can change the encryption type for an already encrypted dataset using the Edit option on the ZFS Encryption widget for the dataset.

Save any change to the encryption key or passphrase, and update your saved passcodes and keys file, and then back up that file.

To change the encryption type, go to Datasets:

  1. Select the unlocked, encrypted dataset on the tree table, then click Edit on the ZFS Encryption widget. The Edit Encryption Options dialog for the selected dataset displays.

    You must unlock a locked encrypted dataset before you can make changes.

    If the dataset inherits encryption settings from a parent dataset, to change this, clear the Inherit encryption properties from parent checkbox to display the key type encryption setting options.

  2. Change the encryption settings. Key type options are to change the type from Key to Passphrase or from a generated to a manually-entered encryption key. After clearing the Inherits encryption properties from parent the default settings display with Encryption Type set to Key and Generate Key pre-selected. To manually enter an encryption key, select Generate Key to clear the checkmark and display the Key field. Enter the new key in this field.

  3. (Optional) Change the Encryption Type to Passphrase using the dropdown list of options. The Passphrase and Confirm Passphrase fields and other passphrase encryption fields display.

    Enter the passphrase twice. Use a complex passphrase that is not easy to guess. Store in a secure location subject to regular backups.

    Leave the other settings at default, then click Confirm to activate Save.

  4. Click Save. The window closes, the ZFS Encryption widget updates to reflect the changes made.

Locking and Unlocking Datasets

You can only lock and unlock an encrypted dataset if it is secured with a passphrase instead of a key file. Before locking a dataset, verify that it is not currently in use.

Locking a Dataset

Select the dataset on the tree table, then click Lock on the ZFS Encryption widget to open the Lock Dataset dialog with the dataset full path name.

Lock Dataset
Figure 8: Lock Dataset

Use the Force unmount option only if you are certain no one is currently accessing the dataset. Force unmount boots anyone using the dataset (e.g. someone accessing a share) so you can lock it. Click Confirm to activate Lock, then click Lock.

You cannot use locked datasets.

Unlocking a Dataset

To unlock a dataset, go to Datasets then select the dataset on the tree table. Click Unlock on the ZFS Encryption widget to open the Unlock Dataset screen.

Dataset Unlock Screen
Figure 9: Dataset Unlock Screen

Type the passphrase into Dataset Passphrase and click Save.

Select Unlock Child Encrypted Roots to unlock all locked child datasets if they use the same passphrase.

Select Force if the dataset mount path exists but is not empty. When this happens, the unlock operation fails. Using Force allows the system to rename the existing directory and file where the dataset should mount. This prevents the mount operation from failing. A confirmation dialog displays.

Continue Dataset Unlock Confirmation
Figure 10: Continue Dataset Unlock Confirmation

Click CONTINUE to confirm you want to unlock the datasets. Click CLOSE to exit and keep the datasets locked. A second confirmation dialog opens confirming the datasets unlocked. Click CLOSE. TrueNAS displays the dataset with the unlocked icon.

Encrypting a Zvol

Encryption is for securing sensitive data.

You can only encrypt a Zvol if you create the Zvol from a dataset with encryption.

Users are responsible for backing up and securing encryption keys and passphrases! Losing the ability to decrypt data is similar to a catastrophic data loss.

Zvols inherit encryption settings from the parent dataset.

To encrypt a Zvol, select a dataset configured with encryption and then create a new Zvol. Next, go to the Datasets page and click on the Zvol.

ZFS Encryption Widget Root Dataset
Figure 11: ZFS Encryption Widget

If you do not seethe ZFS Encryption widget on the Datasets page, you created the Zvol from an unencrypted dataset. Delete the Zvol and start over.

Click Edit on the ZFS Encryption widget. The Edit Encryption Options dialog for the Zvol displays with Inherit encryption properties from parent selected.

Edit Zvol Encryption
Figure 12: Edit Zvol Encryption

If not making changes, click Confirm, and then click Save. The Zvol is encrypted with settings inherited from its parent.

To change inherited encryption properties, clear the Inherit encryption properties from parent checkbox. The current encryption settings display. You can change from key to passphrase or change from a system-generated key to one of your choosing.

Zvol Uncheck Inherit Encryption
Figure 13: Zvol Uncheck Inherit Encryption

If Encryption Type is set toKey, type an encryption key into the Key field or select Generate Key. If using Passphrase, it should be at least eight characters long. Use a passphrase complex enough to not easily guess. After making any changes, select Confirm, and then click Save.

Save any change to the encryption key or passphrase, update your saved passcodes and keys file, and back up the file.

Managing Encryption Credentials

There are two ways to manage the encryption credentials, with a key file or passphrase.

Creating a new encrypted pool automatically generates a new key file and prompts users to download it.

Always back up the key file to a safe and secure location.
Download Encryption Keys
Figure 14: Download Encryption Keys

To manually back up a root dataset key file, click the icon to display the Pool Actions list of options, and select Export Dataset Keys. The keys download to your system.

To change the key, click for the dataset, and then click Encryption Options.

Edit Root Dataset Encryption Keys
Figure 15: Edit Root Dataset Encryption Keys

See Changing Dataset-Level Encryption for more information on changing encryption settings.

A passphrase is a user-defined string at least eight characters long that is required to decrypt the dataset.

The pbkdf2iters is the number of password-based key derivation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Users must enter a number greater than 100000.

Unlocking a Replicated Encrypted Dataset or Zvol Without a Passphrase

TrueNAS SCALE users should either replicate the dataset/Zvol without properties to disable encryption at the remote end or construct a special json manifest to unlock each child dataset/Zvol with a unique key.

Method 1: Construct JSON Manifest.

  1. Replicate every encrypted dataset you want to replicate with properties.

  2. Export key for every child dataset that has a unique key.

  3. For each child dataset construct a proper json with poolname/datasetname of the destination system and key from the source system like this: {"tank/share01": "57112db4be777d93fa7b76138a68b790d46d6858569bf9d13e32eb9fda72146b"}

  4. Save this file with the extension .json.

  5. On the remote system, unlock the dataset(s) using properly constructed json files.

Method 2: Replicate Encrypted Dataset/zvol Without Properties.

Uncheck properties when replicating so that the destination dataset is not encrypted on the remote side and does not require a key to unlock.

  1. Go to Data Protection and click ADD in the Replication Tasks window.

  2. Click Advanced Replication Creation.

  3. Fill out the form as needed and make sure Include Dataset Properties is NOT checked.

  4. Click Save.

Method 3: Replicate Key Encrypted Dataset/zvol.

  1. Go to Datasets on the system you are replicating from. Select the dataset encrypted with a key, then click Export Key on the ZFS Encryption widget to export the key for the dataset.

  2. Apply the JSON key file or key code to the dataset on the system you replicated the dataset to.

    Option 1: Download the key file and open it in a text editor. Change the pool name/dataset part of the string to the pool name/dataset for the receiving system. For example, replicating from tank1/dataset1 on the replicate-from system to tank2/dataset2 on the replicate-to system.

    Option 2: Copy the key code provided in the Key for dataset window.

  3. On the system receiving the replicated pool/dataset, select the receiving dataset and click Unlock.

  4. Unlock the dataset. Either clear the Unlock with Key file checkbox, paste the key code into the Dataset Key field (if there is a space character at the end of the key, delete the space), or select the downloaded Key file that you edited.

  5. Click Save.

  6. Click Continue.