Hey all, I have some open questions that are keeping me from jumping to the TrueNAS 12 train at this time. Can you please assist?
Notes:
- Data (including time to recover) is highly important to me and due to some issues seen on upgrades in the 11.x train that caused some to lose their data have kept me from upgrading for some time now (Mostly due to me lacking a full and proper backup solution). With a new backup strategy, I am finally moving forward.
- I am currently moving from a single FreeNAS 11 server in RaidZ3 to two FreeNAS/TrueNAS servers running "mirrored pairs" on the primary and striped RAIDZ2 on the backup with ZFS send/receive between them. I will also have a "cold storage" striped pool where the backup syncs to it when attached. This gives me three complete copies of my data before even discussing cloud backups of photos, etc.
1) How stable is the encryption on TrueNAS 12?
2) Given the loss of GELI as an FDE system, are we losing a level of privacy by exposing the generic data on the drive to access the ZFS encrypted pools? How will the encryption keys, etc. be stored and can they be accessed remotely? Will it now be possible to decrypt the data if the server were stolen?
3) If using one pool, that is encrypted, are the drives still "connect and sell" ready or do we need to properly wipe them now to remove private data?
4) Since I am retrofitting my data strategy, and I currently use GELI encryption, I am leaning toward start with TrueNAS 12 on the BETA release rather than FreeNAS 11.3 and going through the migration to ZFS Encryption in October/November. Is this a good decision?
5a) With my three system backup strategy, how does this work for the encryption keys? Given that the data is now sent encrypted, there would be one set of keys for the same data copies? Also, is this transmission is now properly encrypted so no snooping on the wire is allowed? No terribly relevent in a home situation but I like to know what's happening behind the scenes.
5b) If I desired to have separate encryption keys on each system, is there a way to ZFS send the data with the primary encryption keys (rather not send in the clear) then have the backup decrypt and re-encrypt? The main benefit this would provide is the ability to have "n" chances of data recovery if one set of keys were lost, etc.
Normally, I would wait until a FreeNAS U1 release (now TrueNAS RELEASE) but given the timing of my new system and the enhanced quality passes on TrueNAS I am more open to jumping on early for this current release before I go back to my safer approach.
Thanks for the help!
Notes:
- Data (including time to recover) is highly important to me and due to some issues seen on upgrades in the 11.x train that caused some to lose their data have kept me from upgrading for some time now (Mostly due to me lacking a full and proper backup solution). With a new backup strategy, I am finally moving forward.
- I am currently moving from a single FreeNAS 11 server in RaidZ3 to two FreeNAS/TrueNAS servers running "mirrored pairs" on the primary and striped RAIDZ2 on the backup with ZFS send/receive between them. I will also have a "cold storage" striped pool where the backup syncs to it when attached. This gives me three complete copies of my data before even discussing cloud backups of photos, etc.
1) How stable is the encryption on TrueNAS 12?
2) Given the loss of GELI as an FDE system, are we losing a level of privacy by exposing the generic data on the drive to access the ZFS encrypted pools? How will the encryption keys, etc. be stored and can they be accessed remotely? Will it now be possible to decrypt the data if the server were stolen?
3) If using one pool, that is encrypted, are the drives still "connect and sell" ready or do we need to properly wipe them now to remove private data?
4) Since I am retrofitting my data strategy, and I currently use GELI encryption, I am leaning toward start with TrueNAS 12 on the BETA release rather than FreeNAS 11.3 and going through the migration to ZFS Encryption in October/November. Is this a good decision?
5a) With my three system backup strategy, how does this work for the encryption keys? Given that the data is now sent encrypted, there would be one set of keys for the same data copies? Also, is this transmission is now properly encrypted so no snooping on the wire is allowed? No terribly relevent in a home situation but I like to know what's happening behind the scenes.
5b) If I desired to have separate encryption keys on each system, is there a way to ZFS send the data with the primary encryption keys (rather not send in the clear) then have the backup decrypt and re-encrypt? The main benefit this would provide is the ability to have "n" chances of data recovery if one set of keys were lost, etc.
Normally, I would wait until a FreeNAS U1 release (now TrueNAS RELEASE) but given the timing of my new system and the enhanced quality passes on TrueNAS I am more open to jumping on early for this current release before I go back to my safer approach.
Thanks for the help!
