Get a Quote     (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode
TrueNAS.com Software Systems Company Community Security iX Portal Download

  1. Documentation Hub
  2. /
  3. TrueNAS SCALE
  4. /
  5. UI Reference Guide
  6. /
  7. Storage
  8. /
  9. Datasets
  10. /
  11. Encryption Settings
Edit this page

Encryption Settings

  6 minute read.

Last Modified 2022-12-09 08:45 -0500

Datasets, root, non-root parent, and child, or zvols with encryption include the ZFS Encryption widget in the set of dataset widgets displayed on the Datasets screen.

DatasetTreeWithLockIcons

The Datasets tree table includes lock icons and descriptions that indicate the encryption state of datasets.

Icon State Description
DatasetLockedEncryptionIcon Locked Displays for locked encrypted root, non-root parent and child datasets.
DatasetUnlockedEncryptionIcon Unlocked Displays for unlocked encrypted root, non-root parent and child datasets.
DatasetLockedByAncestorEncryptionIcon Locked by ancestor Displays for locked datasets that inherit encryption properties from the parent.
DatasetUnlockedbyAncestorEncryptIcon Unlocked by ancestor Displays for unlocked datasets that inherit encryption properties from the parent.

Pool Encryption

The Encryption option on the Pool Manager screen sets encryption for the pool and root dataset. The Download Encryption Key warning window displays when you create the pool. It downloads a JSON file to your downloads folder.

DownloadPoolEncryptionKey

All datasets created in an encrypted pool have encryption. You cannot create an unencrypted dataset in an encrypted pool.

All pool-level encryption is key-based encryption. You cannot use passphrase encryption at the pool/root level.

Keep the key file in a secure location where you can back it up and keep it protected. If you lose the encryption key you cannot unlock the pool and that can result in unrecoverable data.

Export Key Options

The ZFS Encryption widget for root datasets with encryption includes the Export All Keys and Export Key options but does not include the Lock option.

If a dataset is encrypted using a key, the ZFS Encryption widget for that dataset includes the Export Key option.

Export All Keys Dialog

Export All Keys opens a confirmation dialog with the Download Keys option that exports a JSON file of all encryption keys to the system download folder.

ExportAllKeysDialog

Export Key Dialog

Export Key opens a dialog with the key for the selected dataset and the Download Key option that exports a JSON file with the encryption key to your system download folder.

ExportKeyDialog

Edit Encryption Options Window

Encryption type and options are set for a dataset when it is first created. Encryption is inherited from the root but you can change whether you inherit settings or change them. The Edit Encryption Options for datasetname displays the current encryption option settings for the selected encrypted dataset. It allows you to change the encryption type from or to key or passphrase, and the related settings.

The Edit Encryption Options for datasetname window opens with the current dataset encryption settings displayed. The encryption setting options are the same as those provided on the Add Dataset > Encryption Options.

EditEncryptionOptionsKeyTypeWindow

Setting Description
Encryption Type Select the option for the type of encryption to secure the dataset from the dropdown list. Select Key to use key-based encryption and display the Generate Key option. Select Passphrase to enter a user-defined passphrase to secure the dataset. This displays two additional Passphrase fields to enter and confirm the passphrase and the pbkdf2iters field.
Generate key Selected by default to have the system randomly generate an encryption key for securing this dataset. Clearing the checkbox displays the Key field and requires you to enter an encryption key you define. Warning! The encryption key is the only means to decrypt the information stored in this dataset. Store encryption keys in a secure location! Creating a new key file invalidates any previously downloaded key file for this dataset. Delete any previous key file backups and back up the new key file.
Key Enter or paste a string to use as the encryption key for this dataset.
Algorithm Displays for both key and passphrase encryption types. Select the mathematical instruction set that determines how plaintext converts into ciphertext from the dropdown list of options. See Advanced Encryption Standard (AES) for more details.
Passphrase
Confirm Passphrase		 Enter the alpha-numeric string or phrase you want to use to secure the dataset.
pbkdf2iters Enter the number of password-based key deviation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Entering a number larger than 100000 is required. See PBKDF2 for more details.

Lock Dataset Dialog

Lock displays on encrypted non-root parent or child datasets ZFS Encryption widgets. An encrypted child that inherits encryption from a non-root parent does not see the Lock option on its ZFS Encryption widget because the lock state is controlled by the parent dataset for that child dataset. The locked icon for child datasets that inherit encryption is the locked by ancestor icon.

Lock opens the Lock Dataset confirmation dialog with the option to Force unmount and Lock the dataset. Force unmount disconnects any client system that is accessing the dataset via sharing protocol. Do not select this option unless you are certain the dataset is not used or accessed by a share, application, or other system services.

LockDatasetDialog

After locking a dataset, the ZFS Encryption screen displays Locked as the Current State and adds the Unlock option.

Unlock Datasets Screen

Unlock on the ZFS Encryption widget displays for locked datasets that are not child datasets that inherit encryption from the parent dataset. Unlock opens the Unlock Datasets screen that allows you to unlock the selected dataset, and the child datasets at the same time.

If you select a non-root parent dataset, the unlock screen includes two Dataset Passphrase fields for two datasets, the non-root parent and the child of that non-root parent, and the option to Unlock Child Encrypted Roots pre-selected.

UnlockDatasetsScreenNonRootParent

If you select a child dataset of the root dataset or of a non-root parent, the screen includes only the one Dataset Passphrase field, and the option to Unlock Child Encrypted Roots pre-selected.

UnlockDatasetsScreen

Setting Description
Unlock Child Encrypted Roots Select to inlock any encrypted dataset stored within this dataset.
Dataset Passphrase
Dataset Key		 Enter the user-defined string (passphrase) or system-generated or user-created alpha-numeric key you entered at the time you created the dataset.
Force Select to add a force flag to the operation. In some cases it is possible that the provided key/passphrase is valid but the path where the dataset is supposed to be mounted after being unlocked already exists and is not empty. In this case, unlock operation fails. Adding the force flag can override this and when selected, the system renames the existing dataset mount directory/file path and it unlocks the dataset.
Save Starts the unlock process, fetch data, and displays the Unlock Datasets dialog with the dataset mount path. Click Continue to unlock the dataset.

Related Content

Related Dataset Articles