 Tom here from Orange Systems, and you should dance like nobody's watching but encrypt like everyone is. Whether you're encrypting for compliance, privacy, or paranoia reasons, in this video I will cover how to use ZFS encryption with TrueNAS Core and TrueNAS Scale. But I want to get a couple caveats out of the way. Losing the keys means losing your data. This encryption is built really well, it's been well tested, and if you lose the keys or the past phrase, whichever one you've used to encrypt your data, you're not going to be able to get that data back. Now, the next question is going to be about performance. This question seems to come up a lot, and then you'll find a lot of old forum posts about this. But if you're using a modern processor, let's say within the last five years, I have found the performance hit to be right around 1% or 2% from encrypted to non-encrypted data sets. So with most systems, it's probably not a big concern. But if you're also using deduplication, this can complicate things because if you're using deduplication along with encryption, you now have two things that are competing for CPU cycles, so you could further your performance issues beyond that 1% or 2%, but that's a different topic when it comes to deduplication. But one more thing that should be noted is that unrelated encrypted data sets cannot use deduplication. And there's an entire write up I'll leave where you can link and kind of understand some of the ins and outs of that. Like I said, it's a longer discussion goes outside the topic of this. The other thing I want to cover is going to be where the keys are stored because this question comes up quite a bit. Now you can download the keys separately, but they're also part of your backup. That being said, the keys live within the boot pool. And that means you can encrypt a data set. The data will be encrypted, but your boot pool does contain the keys. So this does not prevent if someone were to physically take your TrueNAS system and, well, boot it up themselves or you're thinking, well, they wouldn't have access to the Web Interface except for they would be able to get to the command line and modify that Web Interface and reset the password to it. So yeah, there's definitely some risk there, which is why we're also going to talk about why passphrases are good and the challenge within them. Now the last little piece on there is you're asking, what about a key server to allow for unlocking? That way you can talk to a key server that allows it to unlock. That is not officially supported in TrueNAS scale or TrueNAS core unless you have Enterprise. If you're using the Enterprise version, yes, it's supported. Now, if you want to know, there's a third party way to do that. Once again, it goes beyond the scope of this video. I will leave a link, though, if you're interested in how the key server works with TrueNAS Enterprise. That's also linked in the description. Now we can dive into the video and before we get started with it, let's first. Are you an individual or company looking for support on a network engineering, storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we would also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structure cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in Hire Us, but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. Now we're going to be doing this demo in TrueNAS Scale 22.12.0, but I will point out that this works much the same in TrueNAS Core. The difference is going to be you click the gear icon and there's export data set keys. And as you'll see when we go through TrueNAS Scale, the data set keys are located in a completely different menu. They've redesigned just for scale. And if you need to lock or unlock things in the core, we go here and the lock icon is still the same, but it's located with these three dots. To choose the encryption options or to lock a particular data set is much the same. Or even take an existing one if you'd like to add encryption options, you click this and these menus are actually the same across both platforms. Let's go back over to scale where we're going to do the demo. First thing you want to do is create a pool and we'll call this pool lab test. We're going to choose encryption for this pool. I just like encryption by default, so I usually choose it, but as I said in the beginning, yes, there's that couple percent of performance you could lose there. Now whether you choose an encrypted pool, you get to choose whether or not the data set themselves are encrypted on an individual data set basis. So let's go ahead and create this encrypted pool to walk through the process, create, confirm we're creating the pool, fetching the data, and it's going to want to download the keys immediately. The reason you want to download the keys is if you ever lose your boot pool. These keys are absolutely imperative in order to recover data off these data drives. So we're going to hit download encryption key. Let's go ahead and open up that key and we can look at what the key looks like. It's just a really simple JSON file, which has the pool name and the single key in here. Now we'll cover further what this looks like after we add a couple more keys, but this is now the default key for every data set created that is going to be by default inheriting the encryption options. Next we're going to create some data sets. Now the first data set we'll create will inherit automatically by going to add data set here and we'll just call it test one, test one, and by default we have inheriting encryption options. So we can just hit save and now that is also unlocked based on when this system boots up. It has that key that we downloaded saved within the configuration of this particular true NAS. So every time we restart server, this is automatically unlocked. Now the encryption can be changed afterwards, so we can actually take this currently unlocked one and change it. So let's go down here, clicking on the data set, we go over to ZFS encryption, hit edit and by default it inherits, but let's go ahead and create a different key. We'll just have the system close, we hit confirm and now we've created a separate key for this particular data set. Now, because these have different keys but both keys are stored within true NAS this will still be available and unlocked on boot. You're probably wondering why would I want to have a different key for a different data set that's under there and the only real reason I can think of for doing it that way is is you had several data sets here and let's add one called test two to test test two, save now this one has the unlocked by ancestor this one has its own and the advantage is going to be is if I was using replication I can replicate this to another server and allow that other server to have a copy of this key but that key if I were to replicate this as well would not unlock this. So one advantage is going to be or doing it this way is to have the ability to back things up to different servers and if it's a server you don't trust you want to use ZFS replication you can back up everything but maybe there's one particular data set you do trust and they can have the key to that one and then you would take those keys and actually import them on the other server because you can actually replicate all the data while it's encrypted over to another ZFS pool and then on a per data set or per key basis I should say you can take that key for that one data set and only unlock that one data set so it's pretty simple how the key system works. Now let's show how the download looks like now that we've added two keys to this particular data set and for that we're going to just click on here the top data set and we're going to say export all keys. Now you can export individual keys but we're going to go ahead and export all of them. Now we'll look at this file again and we can see that we have the lab test and we lab test one has a separate key but you notice lab test two is not in here because we didn't generate a new key but if we did change the key for lab test two it would be in here as well now this allows you when you're bringing the keys in from another system you can just copy and paste these particular keys that were generated and bring them into another system to decrypt those particular keys. Now the next part I want to talk about is adding a data set but this time for the encryption we will show you and this is going to be no encryption and we'll just make this one a non encrypted so instead of inherit and it warns us to confirm that yes everything will be not encrypted in here so we're going to hit save so we have now an unencrypted piece of data on here. Now this unencrypted data can be replicated to another system and it's fully unencrypted there's no un encryption here at all. Now we could have done this with the first data set as well because still we have to unlock this in order to get to this technically when we import this because I don't believe it will import this encryption one because this is nested within there but this particular one is unencrypted that being said you'll notice missing here is the ability to add encryption if you start with a data set that's not encrypted and create it without encryption there's no way to add it later that's just how that works but even though this one's not encrypted test and we'll go ahead instead of inherit we're going to build encryption for this one hit save we have a nested data set that is encrypted underneath it so these things are related in a way so you can create an unencrypted one but then you can have these encrypted ones underneath it as sub data sets or nested data sets underneath so any of these options do work perfectly fine and this is the quick way if you wanted to create a test where you want to write something and do a speed test between something with no encryption versus encryption to kind of get the idea of whether or not that creates a lot of overhead in your particular configuration now the last one we're going to do is we're going to go ahead and add a data set and we'll call this one passphrase and we're not going to inherit encryption we're going to use encryption but we're going to have a passphrase on here and we'll make it simple password one two three also don't use password one two three as your passphrase go ahead and hit save now with passphrase encryption you can lock and unlock this data set with that particular passphrase this has the advantage of if you boot this system up the passphrase will show up here in terms of the data set but it will show in a locked status so if we go over here and we scroll down to the ZFS encryption we can see current status is unlocked so we hit lock now we've locked this and there's nothing we can do to do anything with the data within there we can see the data in terms of how many kilobytes it may be taking up but without the unlock and we go here and unlock it put in a data set passphrase which was just password one two three we hit save continue lets us know that we're now unlocking that data set pretty simple to do and I want to note about things like shares that you may have with this particular data set and what happens when you boot the system up in those shares or even applications point at a locked data set and that's easier to demo on one of my systems I already have set up for this alright this is one of my production systems and we have sync thing running right here but I have it stopped and if I were to try to start it it will fail because let's show you where the data lives so if we go here to edit and this application points to mount dozer sync thing data if we look at that data right now and we look at the data sets we will see that it is locked so there's sync thing data and it's currently in status locked so we tried to start that application and this is the same thing it doesn't start up it's going to fail so if we hit start fetching data cannot be started because it's consuming the finally host path and more info is going to lead to it can't get to the host path as it's consuming the finally host path which are locked and if anyone were to take my churnass system the boot up process would not allow to unlock unless someone had the password so if now we go back over here to data sets and we go back over to the sync thing data and we're going to go ahead and unlock it we go ahead and paste in the passphrase hit save data sets was provided credentials to be unlocked restarting services and close now I want to note that the restarting services is also because if there was any shares on this it would restart the shares because they would also fail to start because of them being pointed at that if there were shares pointed at that now it does not restart the applications so I actually have to manually start them and this is one of those things that's really important to consider is whether or not you should use those passphrases the good part is they are the best protection form your churnass system and any data if someone were to physically take it being well escaped with that system that they took because if you don't have the passphrase and if you're using a good passphrase that is not easily just guessed something that's really crazy long which I do recommend because it's easy enough to store something like that within your password manager you just have the inconvenience of any time that churnass system gets restarted none of those services or shares will be available but to the same extent they won't be available someone takes the system and there's not any way to remove that passphrase that passphrase has to be known by the person who wants to unlock the data hopefully that is only you so these are a couple considerations when you're setting this up it's relatively easy to do you can change from a passphrase back to a key you can change from a key to a passphrase you can do this on the fly kind of on an as needed basis which ever you're comfortable with just make sure you are not losing any of those keys or passphrases because if you lose the boot pool where that data resides and you want to import that data somewhere else those keys are important if you just want to take those drives out and import them to another system you need those keys if you're using replication it will replicate encrypted unless you take the keys and put them in the system that they're landing on so those are all considerations you should have with encryption leave your thoughts and comments down below or head over to my forums for a more in depth discussion I'll also leave links as I said to the things I mentioned to a couple different expanded ideas around this and the documentation from churnass all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to laurancesystems.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all our videos including a link to our shirt store where there will be wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you