 So, as many of you may know, FreeNAS does support drive encryption, which is great. And the reason I like this and the reason I use it, the use case I have is in case any drive goes bad, I don't mind sending it back. Our drives contain lots of information for customers, lots of data, our virtual machines, all kinds of sensitive things I probably wouldn't want the world just to be handed if I had to send one of the drives out. So if any drive removed from our FreeNAS box, automatically encrypted, no big deal. But what is a really big deal, and I've had some people message me on this before and it creates some confusion, is backing up the encryption keys when you set up your FreeNAS. Now you should have all of your data backed up completely synced somewhere else, a complete duplicate of data. That part's really important with any RAID array, not just FreeNAS, any RAID array. You should have more than one copy of the data on site, off site. But hopefully, if you lose data, it's not because you forgot to back up the encryption key. So we're going to cover how to set up an encrypted volume, how they work, and using the encryption keys. So we're going to jump into this and we'll start with how to set up an encrypted volume. That part's really easy. Go here and call this volume test. We check the encryption box. Please read the warnings here, which says if you do not back up the key, your data will be irrecoverable. Yes, the encryption's really good, and yes, you will lose all your data if you don't back it up. So this is a real simple setup with a three-drive array, just set up in RAID Z. But the type of RAID array you use doesn't matter. It doesn't make any difference. The encryption's still the same. It's a GELI key system that's part of FreeBSD. So we're going to go ahead and add this volume and the test encrypted volume is created. And we'll go ahead and just for the hell of it, we'll add a data set. Some data, just so we have something on here, add data set. All right. Let's test and send data. Now when we're here, we see the keys here. Create passphrase, download key, encryption rekey, add a recovery key, remove the recovery key. What we're going to focus on here is the adding a passphrase if you want to and downloading the key. Now when you download the key, it's going to ask for the password. And you can see we got a file called GELI.key. And on our free NAS box, if you want to know where that key is stored, if you SSH into the box, there's the key as well. So it's under data slash GELI. That is the key for the drive. Now just so you know, and this is part of what's in that warning about backing it up, if you go here to system, you go here to general, and you just want to download the config file, which you should keep a backup here of a config file. But once again with the warning, this config file does not contain that key. So if you lose, and in my case, I have it booting off of a USB thumb drive. And if I lose that thumb drive, and I don't have a backup of that key, I will not be able to unencrypt these drives. Now, the standard key just by checking the encryption box means on boot, it goes to that data folder, pulls the data and unlocks the drives as part of the boot process. And that's perfectly fine. That means if someone were to physically steal, not a hard drive, but physically steal your free NAS box, they would be able to perhaps go onto the command line interface, reset the password, and get into your free NAS system. So that protects you as far as if a single drive has to be replaced. If a single drive was removed from your system and was stolen, does not protect you at all on someone physically taking the entire free NAS box. Because of those concerns, I go a step further with the encryption. Now, this has some good and bad. When you use this level of encryption where we actually create a passphrase to go with it, and we'll do that real quick here. When we do the passphrase, go ahead and confirm it. And after you do this, redownload the recovery key. So make sure the passphrase matches the key. Okay, passphrase is created, so I'm going to redownload the key. Now there's two things we need. We need that passphrase I typed, and we need the key to decrypt these drives. But here's where the real downside, so to speak, is, but also the upside because of securities. I've had people say this is inconvenient. Yes, it is. But the inconvenience is the system not having to worry about the system being physically removed from your building. So here, my virtual free NAS is rebooting here. And you're going to see what happens when we log back into it on a reboot. So the system's rebooted. It recognizes the volumes there, but the volume is locked. Now what this means is we need the key, but that's saved on the free NAS box, but we need that passphrase in addition to it so that we can unlock it. So with the keys already in there, every time we boot the machine, and this happens every time I boot my free NAS machine, I have to put the password. Now the nice thing is it automatically offers to restart all the services on the system. So for the service to be restarted, no problem. You can choose if you don't want them to restart, but generally you do because when the services, and for me example, iSCSI starts for my virtual machines that are running on Zen, that iSCSI starts but has no files, so all these services give some errors. Sometimes when you're booting up free NAS, you'll see the services fail on errors because they don't have a drive to see any files on. So by hitting OK, type in a password, it should unlock them all. You got to type the password right. That's an important part. So unlock. You just get a quick fail if it's type password typed wrong and you can see it pausing longer here when you're decrypting because it runs through all the services that need to be restarted. It may take a little longer when you're actually typing the right password. The error that pops up, I've seen it come up on mine. I've seen it happen once or twice and this is only since the free NAS 11. It works perfectly fine. I haven't submitted a bug report yet on errors. I'm trying to get it reproduced consistently. But if you do see the error and you're running free NAS 11.1 as of December 24th, 2017, it's kind of inconsistent. But when it comes up, everything works fine. It just doesn't display right. It says an error occurred up here. But the drives decrypt perfectly fine in all the data. So I haven't had any issues. It's some type of scripting error. I think with one of the services that's restarting, I haven't had a chance to debug it. But just so you know, I've seen it too. I left it in the video for that reason because I planned to file a bug report and you may go, hey, what's that error message? I don't know right now. Haven't had time to research it. But I can tell you that it hasn't caused any drama for me. So here we have the test. There's some data on everything back to normal. And the services are restarted and all my data is here. Now, like I said, this is the better way to do it in terms of being able to have encryption and not worry about if someone physically removed it from your building or house or wherever you have it and took it, they would not be able to, unless you have that passphrase somewhere, be able to recover your data. The next question is, how do I restore a volume? So I'll just run through this real quick. We're gonna go ahead and detach the volume, but not destroy it. So let's say we wanted to move volume to another system. So we're gonna say, yes, go ahead and detach it. Then we'll go over here. You can see in this directory, the key's gone. Nothing's on this system. It is clean and I'm ready to import an encrypted volume. So we're gonna go to import volume. So is it encrypted? Yes, hit okay. Then we choose the key file, we choose the disk. Then we gotta put the passphrase. Hopefully put the right passphrase. Passphrase work, we confirm what volume we're doing. There's only one on there. And our test volume with encryption has been re-imported. So something were to happen to the thumb drive. As long as I have that key and I have the passphrase, which is in my head, we're good, we can do it. Now you can do it with just the key if you didn't have a passphrase. And you can also remove the passphrase. So if we go back over here to change passphrase, put an AMM password and just check the remove passphrase. We can remove the passphrase off of this if we wanted to. So it's a thing that you can add to the system if you want to, but you can also remove it if you plan to reboot it 20 times during setup and not have to worry about typing each time when you're going, okay, I need to reboot this or for whatever reason, you fail confident that no one would physically take the machine, you can remove it, but you know, if you're going away for the weekend and you wanted to put it on there, you can do this at will. But each time you do this, make sure you download that key because it's gonna update the key. So that was just in a nutshell, it's not too difficult as long as you know that you have to back up these keys here and download the key whenever you change it. So as your backup procedure, make sure you're getting that key file too and saving it somewhere secure. That's just really important. So hopefully this was helpful and hopefully this saves you from an incident at some point of, oh, I had to replace my thumb drive because it went bad and where's that key I need? I thought I could just restore the backup config. All right, if you like to count in here, like and subscribe if I got something wrong, let me know if I got it right, thumbs up and leave some comments below if you've got questions on this or if I didn't cover something very well. Thank you very much.