Encrypted pool with additional special-purpose VDEVs - what will be encrypted and what not?

[djaoifj92i90]

When I create a new pool, I can add additional VDEVs for these purposes:

• Cache
• Log
• Hot Spare
• Metadata
• Dedup

Is there one type of device in the list where ZFS will not encrypt the data written to that specific special-purpose device?

Hot spare seems kind of self-explanatory - I suppose that this will of course only have data written on it after a data VDEV failed and it will then of course be encrypted, too - is that correct?

Dedup does not store any data itself - only references to blocks so I don't think the data on the dedup VDEV needs to be encrypted - correct?

Same goes for metadata maybe?

Log VDEVs will have user-data written to it - so it should be encrypted I hope? Same for cache VDEVs?

Are my assumptions correct - and if not - what is the actual behaviour?

 

[Ericloewe]

You seem to be operating under the mistaken impression that everything gets encrypted. Nothing is encrypted unless you explicitly have it be encrypted.

 

[winnielinnie]

Only datasets are assigned the property "encryption" at creation. An encrypted record ("block", "file") remains encrypted at rest, no matter what device it is stored on, regardless if it lives on a data vdev, special vdev, or has a copy on a cache vdev.

The same is true for non-encrypted, plain data.

The only time an encrypted file is in an unencrypted state is when it is held in RAM.

So you can only choose which datasets will use encryption. You cannot assigned a particular vdev as "non-encrypted".

 

[djaoifj92i90]

@Ericloewe
I was assuming an encrypted pool (checking the checkbox for encryption when creating the entire pool - not only on dataset level)

 

[winnielinnie]

I was assuming an encrypted pool (checking the checkbox for encryption when creating the entire pool

This is a misnomer, and I thought they fixed the tooltip dialog and documentation?

[NAS-112371] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

 

[djaoifj92i90]

Thanks for the clarifications @Ericloewe and @winnielinnie

 

[winnielinnie]

If you want to be able to mix encrypted and non-encrypted datasets, you should create the "pool" without enabling the encryption option.

This will allow you to create non-encrypted datasets in the lower nested levels. Because TrueNAS now enforces that non-encrypted datasets need an upwards path (up the hierarchy) towards a non-encrypted root dataset. This is not a limitation of ZFS. It's a policy exclusive to TrueNAS.