How to encrypt new dataset in unencrypted pool?

[bluebaz]

I'm using TrueNAS core version TrueNAS-12.0-U6 and I want to create a new encrypted dataset but I don't see an encryption option as shown in the user guide on this page: https://www.truenas.com/docs/core/storage/pools/storageencryption/#encrypting-a-new-dataset

My Add Dataset page looks like this, do I need to switch it on somewhere?

Thanks.

 

[Samuel Tai]

Click the Advanced Options button.

 

[bluebaz]

Click the Advanced Options button.

Thanks I already checked that and it's not there.

 

[winnielinnie]

Is this a pool from FreeNAS 11 or earlier, in which you are using GELI encryption for the underlying block devices?

---

EDIT: I'd also highly recommend you switch Checksum to On for all newly created datasets. TrueNAS 12.0-U6 introduced a bug that will be fixed in U6.1 or U7.

(Since you're not using Deduplication.)

Reference: https://www.truenas.com/community/threads/new-checksum-default-when-did-this-happen.96142/

 

[bluebaz]

Is this a pool from FreeNAS 11 or earlier, in which you are using GELI encryption for the underlying block devices?

---

EDIT: I'd also highly recommend you switch Checksum to On for all newly created datasets. TrueNAS 12.0-U6 introduced a bug that will be fixed in U6.1 or U7.

(Since you're not using Deduplication.)

Reference: https://www.truenas.com/community/threads/new-checksum-default-when-did-this-happen.96142/

I did upgrade from FreeNAS 11 yes, I've never configured encryption before on this device.

 

[bluebaz]

Actually I just checked the pool and it says Legacy Encryption, so maybe I did, I don't know.

 

[winnielinnie]

Actually I just checked the pool and it says Legacy Encryption, so maybe I did, I don't know.

That's why. You can't enable native ZFS encryption for newly created datasets on this pool using the TrueNAS GUI.

("Legacy" Encryption in the world of TrueNAS is referring to GELI.)

 

[bluebaz]

That's why. You won't be able to use native ZFS encryption on this pool using the TrueNAS GUI.

("Legacy" Encryption in the world of TrueNAS is referring to GELI.)

OK thanks, is there a way to put sensitive stuff on a dataset on my TrueNAS?

 

[winnielinnie]

Your data is already being stored encrypted (GELI). If the drives are removed, no one will even be able to import your pool at all, since the underlying block devices (partitions/drives) are encrypted.

This assumes no one will have access to the keyfile and/or passphrase (whichever is applicable in your situation.)

---

EDIT: Since you forgot that you encrypted your device with GELI, I'd be extra cautious and make sure you made a copy of the keyfile (by exporting it and keeping it safe), and if you also added a passphrase that you must remember as well. You can also export a secondary "recovery" keyfile as well.

 

[Arwen]

Even if you get rid of GELI encryption, you might not have the ZFS feature for encryption on that pool enabled. For example:
# zpool get feature@encryption rpool NAME PROPERTY VALUE SOURCE rpool feature@encryption disabled local