 Time here from Warren Systems, and we're going to talk about TrueNAS 12 and backing it up properly, especially your encryption keys. If you do not back up the encryption keys, and you just back up settings, this is, well, not good. I bring this up because I've seen way too many forum posts where people built their rigs, and that's why I use actually kind of a pile of spare parts right here to feel more relatable to people who are cobbling some stuff together, which is a common scenario. When you first get started it's also kind of fun to play with hardware like this and test, but they put it all together, and as a learning experience they sometimes end up with a further learning experience by having a single boot drive, which yes I know it does support mirrors, but hey, not everybody's got the resources to put a mirror together, but if they put it together like this, they should probably back up the keys. Because if you don't back up the keys, and what this is here is these are four drives which represent the ZFS dataset, and this was built with an encrypted ZFS dataset, and if you don't have the keys backed up you're not going to be able to restore this system. They are gone. Now one thing about encryption, the encryption that is new in ZFS with version 12 of your NAS is indeed different than the ZFS from prior versions like the 11 series and on backwards. They are backwards compatible, so you can import a pool from there, but we're going to be focusing specifically today on how to back up FreeNAS slash TrueNAS version 12. One thing I will mention as well for those that are wondering, and I will leave some time indexes down below, is yes, this survives being swapped on different hardware. The encryption is not actually tied directly to the hardware at all matter of fact. Part of the reason I'm using this rig is because over there lays another motherboard that this was set up on when I started doing the video. And if you let it sit long enough, it just reboots randomly because there's something wrong with the motherboard that I don't really have time to troubleshoot right now. It's older hardware as well. But that is something that does survive is when you rebuild this and pull the drives out and put it on another one, provided you backed up the key. Yes, you can import these on a completely different system. That does come up a lot. Second thing I will note is the order of the drives doesn't matter either. ZFS doesn't rely on specific naming conventions, so to speak, of like what SATA ports these were plugged into to understand how to decrypt and move around the pool. It's actually not related to position and drive. All right, let's dive into the details. Time indexes will all be listed below. But first, if you'd like to learn more about me or my company, head over to laurancesystem.com. If you'd like to hire a short project, there's a hires button right at the top. If you'd like to help keep this channel sponsor free and thank you to everyone who already has, there is a join button here for YouTube and a Patreon page. Your support is greatly appreciated. If you're looking for deals or discounts on products and services we offer on this channel, check out the affiliate links down below. They're in the description of all of our videos, including a link to our shirt store. We have a wide variety of shirts that we sell and new designs come out. Well, randomly, so check back frequently. And finally, our forums, forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel. Now back to our content. All right. Now this is running TrueNAS 12.0 U1.1, which is the latest version as of January 30th, 2021. There's not much to talk about about the hardware because it's not really relevant in Autoscope for this. This is just an older Intel Atom system that I'm running with here that has 16 gigs of RAM. That is not something though that's relevant when you do the backup and restore. I bring that up because if you want to restore on dissimilar hardware, that's really not a big deal. It doesn't really contain hardware-specific information except for specific information related to the network interface. That is something you'll have to address if you swap out hardware's different network interface. When you go to the essentially command interface, you will be able to reset up the network to get it working again if you didn't have the same network card. Other than that, it doesn't care about hardware. I thought I'd get that out of the way. We're going to start by going over to pools and look at the one pool we have here that I just named Small Drive Testing because I have a handful of old laptop drives here. When I built the pool, I used the standard key-based encryption. Now, there are two types of encryption and you can swap them back and forth. Right now, this has key-based encryption, which means the key is stored. This is the single boot drive that we have for this particular system with an A on it because later I'm going to show you how to, without reloading, add a second drive. But the data is stored here for that encryption key. Not at all on the ZFS pools. So when this boots up, it reads like all the configuration files, all the settings. It needs for where my shares are and things I modified on the system. And then it has the key file that allows us to decrypt the ZFS pool. Now, that is important that it's stored there. If you are using password-based encryption instead, then you have to type a password in on boot. Because if you're typing a password each time on boot, I can show you how we can actually dynamically change this. So we'll go over here to encryption options. Right now, it's generated as key and changed to passphrase. We'll put it in as 1, 2. Oh, it needs at least eight, it says. So 1, 2, 3, 4, 5, 6, 7, 8. 1, 2, 3, 4, 5, 6, 7, 8. Highly don't recommend that password. But this is going to be passphrase authentication. We can just hit save. And it's now deleting the key and using a passphrase. This means that every time I want to unlock these drives, every time the system reboots because that passphrase is not stored on the boot drive, I need to save that passphrase somewhere. Hopefully you're using something better than 1, 2, 3, 4, 5, 6, 7, 8. But now when you do a backup, it's not going to back up the keys. Now, why would you use one or the other is what people are probably wondering here because obviously key-auth and key-based is easy because it boots and it unlocks the drives. Tom, that's the simplest way to do it, right? Absolutely. And security and convenience are always at odds with each other. The advantage of doing it with a password is, what if someone steals all of this? Then they take the boot drive. Now they're going to have the keys because when it boots up, it's going to unlock the data set. That's maybe not an ideal situation. And maybe if you work in some levels of security compliance, it's a very not ideal situation. Now, what the key file will protect you from is if someone just pulled these drives and had them, if they didn't take the boot drive with it, with the keys embedded on it, they wouldn't be able to decrypt it. If you use the password, the nice thing is they would have to have that password as well. Hopefully you didn't store it on a piece of tape next to your free NAS where you type it in. So it is worth mentioning that those are the two encryption options and you won't get an option once we did this. I want to do this so we can say things like export the dataset keys. It's a blank file. So when you go to export the keys, when there is no key, there's nothing to do. So it does give you the option still, but I just wanted to show you that that particular file is blank. Now let's switch it back over to encryption options. Instead of passphrase, we're going to go back to key. And we'll just let it generate a new key, confirm, save, rescrambling. All right, we have done this. It's also a good idea to do this if you ever think your key was compromised because you saved your backup somewhere and then you lost the backup but you're wondering did someone take it that I lose it before you go a little crazy and think someone may go back later and try and restore something. You can always regenerate the key. And by the way, all the data is still here. Now when we go back over here again, we're going to go export dataset keys. And now we have a key. Now for those of you that heard me say keys in the plural and you may be wondering, Tom, there's a key, not a keys. That is one more thing I wanted to cover real quick here. When you go over here and we look at encryption options for each subsequent dataset we create under the main dataset, there is the inherit option on by default. So you can override this by default. It has just inherit encryption properties from parent, whether those encryption properties were a passphrase or those encryption properties were a key based encryption. You can override that and generate a specific key. Then we hit save. We're going to encrypt that particular dataset with a separate key than the other one. So we have the main key. Then we have a dataset with a different key and this can go on and on. What that gives you an option though here is export dataset keys again. Look at the file and now you see there's more than one key in here. So this is the first key and then this is a subsequent key for that particular dataset. So now there are two keys in there. This is important that you have these key backups. Now these key backups, when we show you how to do the main backup of FreeNAS, will be within there but there's a good reason to have them separate and that is if for some reason you wanted to take the ZFS pool and bring it into another system but you didn't want to try to restore a whole other system like you built a new computer or a new server for FreeNAS and TrueNAS. You load it all up, you built it with your fancy new drives I kind of just want to grab those drives and import that pool but I already have this configured so I don't necessarily want to route the database. This is a good reason to export the keys and they have them separate so you don't have to try to get inside of a database file to actually pull that out. It could be done, probably not the easy way to do it. So downloading the keys separate I think personally is a good idea as part of the backup process. Now let's go and walk through one more thing real quick and that thing is going to be removing this. So we're going to go back over the encryption options. We'll just go back to inherit, confirm. I only want to have to deal with one key just for simplicity sake but this works. Now let's talk about how to do the other part of the backup. System, general. And we're going to go ahead and save config. Export password, secret seed. Export pool encryption keys. You can do the backup without the encryption keys. I don't think I'd recommend it. You may as well put them in there unless you have some reason not to. You can do the backup without the password secret seed. Now I will mention it's still in the documentation even for the older versions of TrueNAS and FreeNAS that the export password secret seed is important because if you did other services that you saved passwords in, not the passwords like for users necessarily, but the passwords for other things like iSCSI and other features, you do need to export that password secret seed in order to get those passwords done. Just a side note of why that is. So short answer, check that box. Back over to here. We're going to go ahead and do this. Put the password in, save. And there is the TrueNAS file. Back over to here. Let's talk about purging and deleting things. And we're going to go into the FreeNAS system itself to a folder slash data. This is in the root of FreeNAS. And this is where actually where that data is stored. So when we did the backup, all we did was pull this data right here. Here's that FreeNAS v1db. There's a factory image right here. And there is that secret file right there. Now the keys themselves for the DFS, like I said, are in the db file. So that's all you really did was back that up. If we wanted to, for example, reset the system, there's a couple of ways to do it. I could go over to the keyboard and there's an option in the menu that just resets the whole system of factory defaults, which is actually easy to do. So we're going to copy the factory db over the FreeNAS db. All right. Now we have destroyed all the data and the factory one, trust me, doesn't have the keys in it. So now I'm going to walk you through what a restore looks like. And we're just going to go ahead and reboot the system. All right. The system's rebooted and factory default, which actually brings up a new security certificate. And that's because it's had to regenerate one on reboot because the one that it generated before was also located in that db. Everything for FreeNAS pretty much is in that db. The next thing it's going to prompt me is a password. Now, if I would have reloaded FreeNAS, it would have been a little bit different process. So let's say we had lost the boot drive and it just died and we load another boot drive, one year loading FreeNAS to ask you for the password. So this process is almost identical to what a reload would look like, except for the fact that if you just do a factory reset, either from the terminal options like that are in the menus on the UI, or if you do it within like I did SSH again and overwriting the db file with this, the factory initial one, the same results are the same except you actually get a password prompt if you do it the way I did it. So that's kind of convenient. We're just going to throw the same password back in that I had before. Out of convenience. Sign in. All right. And we are back in here with a system with the getting started and everything else, but there's no storage pools. Let's go ahead and storage pools and the options are, of course, we can create one or import one. We're going to head and add import existing pool. We don't really want to overwrite the drives or well, it'll overwrite the drives. This is where you have the option to import the old version, the GLI encryption method that was done in prior versions, the 11 series and backwards of FreeNAS. And now that we're on TrueNAS, it's using the native ZFS encryption. So we're going to say, no, continue with import. But some people I've seen get stuck right there and they're assuming they mean decrypt the pool with the key that I downloaded, but it's not the same key type. That's for old pools. Now we can go over here. Small drive testing. Now without the keys, it is able to see what you named the ZFS drive. Certain pieces of ZFS are available unencrypted, such as the name of the pool. So if we go next and we say import, and this is what gives some people some false hope. They see it importing the pool and they're like exciting. It's going to just work. And my data is all going to be restored that I forgot to back the key up for. But you're going to see it or prompt to come up next that says, would you like to unencrypt the pool? All right, we got to have that key. So I'm going to hit continue, unlock with key file. There's two options actually here. We can unlock with key file or if we were to open up that key file, we can actually paste that data in. So if we look at the JSON file, we could actually just go here and be like copy, paste this file in. But let's go ahead and just restore it the proper way with the file. So go over here, unlock with key file, choose file. This last one, because I think these first ones were before I had to re-change the keys. So we're going to go ahead and grab that file. The last one I downloaded, hit submit. And unlock children means if there were subsequent keys. When I mentioned you can have multiple keys in one key file. It'll unlock those two with those keys. So we'll go ahead and do it. We've got a green checkbox, which is what we like to see. These data sets will be unlocked with the provided credentials and hit continue. Great. All the data is there. So here's my IO cage, some data testing, small drive, just like it was before we blow away that particular file. But what did not get restored, of course, is if we go like to sharing and we go to Windows SMB sharing, all my shares and any configuration specific to this free TrueNAS install has been wiped away. So alls we have is data and we'd have to go through and reset everything up, which obviously would be really tedious. Now for those of you wondering about things like IO cage, that's still here because it's all the jails that I had, which I didn't have any set up are under here for those wondering. And the config for the jails is located within IO cage. But once again, it doesn't really have all the config file for the system itself. Therefore, alls we did was import the pool. And this is really handy, though, if you're building a new system and you just want to grab that pool, grab the handful of drives and tie them together, that way you can move the data around because, well, maybe something happened to the old system. But ideally, what you want to do is if the system loses the main drive, we're going to go here to system in general. And even though I unlocked it, I didn't have to do it. You could have just, you know, done this factory reset or a fresh install and go right here and we're going to upload a config. Now when doing it this way, I only need this file because remember when we exported it, we checked those boxes that said, you know, export the pool encryption keys, which you don't have to. Like I said, you could have just kept them separate, but I did choose to do that. I exported them and the password secret seeds, they're all in here, upload, and it's a small file. It reboots. Now of note, this takes a little bit longer when you do it this way because what it's going to do is reboot twice. First reboot, it has that file queued up so it reboots, it gets that file, it extracts it, double checks it, makes sure it works. Then it restarts again and applies all the settings it found in the file. That way if it does fail, if that file was somehow corrupted or broken, it'll actually go back and come back to the last version that it had in there because it does kind of like a safety check essentially. So now we're just going to go fast forward to the video until it reboots. All right, so we'll log back in again and we can look over here, go down to sharing. Let's look at the window shares. Hey look, they're back. So the window share I set up for this test so I could throw some data on this there. The pools are exactly as they were because the keys were located in there and now the system's restored. Now the last thing I want to cover is of course when you lose a drive, you go into a panic attack going, how can I not have this happen to me again and how do I get a second drive mirrored to the first one? Now if you do a new install, that's easy. You just install to a mirror but what if you didn't install existing and have it? So we've got drive A and then we have drive B. So we're going to plug in drive B here. Now whether or not you can do this live without rebooting the system while it's on is depending on whether or not your system supports hot swap. As far as I know this one does so we're going to find out right now. We're going to go here and we're going to go to system and we'll go to boot. Actions. Boot pool status. One lonely drive. But we did plug another one in. Let's go ahead and add that. So we go here and we're going to attach. Choose the member disk. Hey look, it's easy. It does support hot swap. This member disk is this one right here because it's the only extra disk I had added and then I'm going to hit submit. Attaching device. Now it's smart enough automatically to do a mirror. So when we have this setup it's going to just build it out as a mirror because it's formatting it as ZFS and it's going to build it up to be a mirrored part of the ZFS boot pool here. Was attached successfully. So now if we go here, boot pool status. You can see it set up as a mirror. Pretty straightforward and away you go. Now you have a mirror of the boot pool. So hopefully it doesn't happen again. You've got more than one drive on here. I'm not sure if you can add more than this for the mirror. I've never actually gone more than this and I'm actually out of SATA cables to do that test. I'll leave that to you for those of you that want to experiment. I generally don't see a reason for the boot pool being more than two drives. Not much reading and writing is going on here. It's also the same question comes up of whether or not you should do things like run free NASH from a thumb drive and then set up a thumb drive mirror. You in the past would have been okay doing it on something like this. But the speed of these isn't overly relevant so you can usually pick up some relatively inexpensive SSDs and the prices are so low on them and it doesn't take much storage to run free NAS on here. So the only time you really want to use USB, but yes you can build these as mirrors as well, is if for some reason you're just out of SATA ports and that's the better way to build it for you and the limitations of what you have to work with. That's all you got to do to add two of these so I will have all that data mirrored. The keys mirrored, the configurations mirrored but mirroring is resilience mirroring is not a substitute for backing it up. So please, like I said at the beginning of the video, please back this up because I don't like seeing foreign posts where I lost all my data, how do I get it back because I didn't back up the keys and I want to import this beautiful array of data and let's please back up that's all I have to say because I really don't feel good about telling people no smugness about me when I say I'm sorry I can't help you. You should have backed up that's all I can really say it's like giving someone some tragic news hopefully this video helps you avoid this tragic news and let me know what you think of my rig here I did use some velcro ties here to keep it nice and this is 3D printed for anyone who wants to I don't know my staff printed it so I don't know where they came up with the idea to print this little hard drive holder, holds two more drives though I think I did another video on it before it's just kind of convenient because I've got lots of piles of old laptop drives that we keep around for silly projects like this but yeah let me know in the comments what you think of any of this if you have questions, comments, concerns you want a more in-depth discussion you can ever do my forums on this particular topic also I try to keep up with all the YouTube comments as well but back up your systems and thanks for watching and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out if you'd like to hire us head over to laurancesystems.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free head over to the channel and other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time