TSF – Giải pháp IT toàn diện cho doanh nghiệp SMB | HCM

Homepage
About Us
Solution
Tutorial
Comtact
Youtube
🌐 Language / Ngôn ngữ
  • English
  • Tiếng Việt
    • Contact

    TrueNas ZFS Encryption Explained – Protect Your Data the RIGHT Way

    In this video, we explain how ZFS encryption works in TrueNAS.
    You’ll learn the difference between dataset encryption and key management.
    ZFS encryption helps protect your data at rest from unauthorized access.
    This tutorial is designed for sysadmins, homelab users, and NAS administrators.
    We cover common use cases and best practices for enabling encryption safely.
    You’ll also learn mistakes to avoid that could lock your data permanently.
    Understanding ZFS encryption is critical for secure NAS deployments.
    Follow this guide to configure TrueNAS encryption with confidence.

    1. Quick Understanding of ZFS Encryption on TrueNAS SCALE

     
    • ZFS Encryption only applies when CREATING a new dataset.
    • Encryption cannot be enabled for datasets that already contain data.
    • There are two types of key management:
    Passphrase (enter password to unlock)
    Key file (file key, can auto-unlock)
     

    1.1. ZFS Encryption primarily protects data when:

     
    • Hard drive is removed
    • Pool is moved to another machine
    • NAS is stolen
     

    1.2. Lock/Unlock dataset:

     
    Used to:
    o Hide dataset from the system
    o Prevent SMB/App/User access when unnecessary
    • NOT a protection mechanism when the server is running and has been compromised (root access)
     

    2. Creating a dataset with Encryption (the most standard)

     

    Step 1: Go to Create dataset

     
    Storage → Pools → select Pool → Add Dataset
     

    Step 2: Configure Encryption

     
    In the Encryption Options section:
     
    Encryption → ON
    Encryption Type:
    Passphrase (recommended for users) or Key
    Algorithm:
    Leave as default: AES-256-GCM (standard, secure, fast)
     

    Step 3: If you choose Passphrase

     
    • Enter Passphrase
    • Confirm
    SAVE PASSWORD EXTERNALLY
    → Losing passphrase = permanent data loss
    Dataset auto-lock when TrueNAS reboot
     
    Demo user login
     

    3. Unlock / Lock dataset after creation

     

    3.1. Unlock 

     
    Gui  Dataset → Unlock
    • Enter passphrase or upload key
     

    3.2. Lock

     
    By default, after creating a dataset with encryption enabled, the dataset will be unlocked. You can access it at this time.
     
    To lock the dataset:
     
    Gui  dataset  Lock
     
    • The dataset will disappear from SMB/NFS/Apps
     

    4. If you choose Key for ZFS Encrypt (no button unlock)

     
    Key is used for 2 main purposes
    Auto-unlock dataset on THAT server (Never locks even after TrueNAS reboot)
    Unlock dataset when importing pool to ANOTHER server
     
    Case 1: Currently on the original server (normal)
    • Dataset: Encryption = Key
    • The key is stored in the system by TrueNAS
     
    Result:
    • Boot NAS → dataset automatically unlocks
    • NO manual locking
    • SMB / Apps run normally
     
    Case 2: Transfer the hard drive to another server (the same one you asked about)
     
    Step 1: Connect the drive to another server
     
    • Pool detected
    • Dataset:
     
    o In LOCK state
    o Cannot be mounted
    Because:
    • The new server DOES NOT have the key
     
    Step 2: Import pool
    Storage → Import Pool
    • TrueNAS asks:
     
    Upload encryption key
     

    Step 3: Upload the key (the file you exported earlier)

     
    • After uploading the correct key:
     
    o Dataset UNLOCKED
    o Data can be read normally
    NO key = data is lost

    Leave a Reply

    Your email address will not be published. Required fields are marked *