6. System

The System section of the web interface contains these entries:

  • General configures general settings such as HTTPS access, the language, and the timezone
  • NTP Servers adds, edits, and deletes Network Time Protocol servers
  • Boot Environments creates, renames, and deletes boot environments. It also shows the condition of the Boot Pool.
  • Advanced configures advanced settings such as the serial console, swap space, and console messages
  • Email configures the email address to receive notifications
  • System Dataset configures the location where logs and reporting graphs are stored
  • Alert Services configures services used to notify the administrator about system events.
  • Alert Settings lists the available Alert conditions and provides configuration of the notification frequency for each alert.
  • Cloud Credentials is used to enter connection credentials for remote cloud service providers
  • Tunables provides a front-end for tuning in real-time and to load additional kernel modules at boot time
  • Update performs upgrades and checks for system updates
  • CAs: import or create internal or intermediate CAs (Certificate Authorities)
  • Certificates: import existing certificates or create self-signed certificates
  • Support: report a bug or request a new feature.

Each of these is described in more detail in this section.

6.1. General

System ➞ General is shown in Figure 6.1.1.


Fig. 6.1.1 General Screen

Table 6.1.1 summarizes the configurable settings in the General tab:

Table 6.1.1 General Configuration Settings
Setting Value Description
Protocol drop-down menu Set the web protocol to use when connecting to the web interface from a browser. To change the default HTTP to HTTPS or to HTTP+HTTPS, select a certificate in GUI SSL Certificate. If there are no certificates, create a CA then a certificate.
WebGUI IPv4 Address drop-down menu Choose a recent IP addresses to limit the usage when accessing the web interface. The built-in HTTP server binds to the wildcard address of (any address) and issues an alert if the specified address becomes unavailable.
WebGUI IPv6 Address drop-down menu Choose a recent IPv6 addresses to limit the usage when accessing the web interface. The built-in HTTP server binds to any address and issues an alert if the specified address becomes unavailable.
WebGUI HTTP Port integer Allow configuring a non-standard port for accessing the web interface over HTTP. Changing this setting can also require changing a Firefox configuration setting.
WebGUI HTTPS Port integer Allow configuring a non-standard port for accessing the web interface over HTTPS.
GUI SSL Certificate drop-down menu Required for HTTPS. Browse to the location of the certificate to use for encrypted connections.
WebGUI HTTP -> HTTPS Redirect checkbox Set to redirect HTTP connections to HTTPS. HTTPS must be selected in Protocol.
Language drop-down menu Select a language. View the status of a language in the webui GitHub repository Refer to Contributing to FreeNAS® for more information about supported languages.
Console Keyboard Map drop-down menu Select a keyboard layout.
Timezone drop-down menu Select a timezone.
Syslog level drop-down menu When Syslog server is defined, only logs matching this level are sent.
Syslog server string Select an IP address_or_hostname:optional_port_number to send logs to. Set to write log entries to both the console and the remote server.

After making any changes, click the SAVE button.

This screen also contains these buttons:

Save Config: save a backup copy of the current configuration database in the format hostname-version-architecture to the computer accessing the web interface. Saving the configuration after making any configuration changes is highly recommended. FreeNAS® automatically backs up the configuration database to the system dataset every morning at 3:45. However, this backup does not occur if the system is shut down at that time. If the system dataset is stored on the boot pool and the boot pool becomes unavailable, the backup will also not be available. The location of the system dataset can be viewed or set using System ➞ System Dataset.


SSH keys are not stored in the configuration database and must be backed up separately. System host keys are files with names beginning with ssh_host_ in /usr/local/etc/ssh/. The root user keys are stored in /root/.ssh.

There are two types of passwords. User account passwords for the base operating system are stored as hashed values, do not need to be encrypted to be secure, and are saved in the system configuration backup. Other passwords, like iSCSI CHAP passwords, Active Directory bind credentials, and cloud credentials are stored in an encrypted form to prevent them from being visible as plain text in the saved system configuration. The key or seed for this encryption is normally stored only on the operating system device. When Save Config is chosen, a dialog gives the option to Export Password Secret Seed with the saved configuration, allowing the configuration file to be restored to a different operating system device where the decryption seed is not already present. Configuration backups containing the seed must be physically secured to prevent decryption of passwords and unauthorized access.


The Include Password Secret Seed option is off by default and should only be used when making a configuration backup that will be stored securely. After moving a configuration to new hardware, media containing a configuration backup with a decryption seed should be securely erased before reuse.

Upload Config: allows browsing to the location of a previously saved configuration file to restore that configuration.

Reset Config: reset the configuration database to the default base version. This does not delete user SSH keys or any other data stored in a user home directory. Since configuration changes stored in the configuration database are erased, this option is useful when a mistake has been made or to return a test system to the original configuration.

6.2. NTP Servers

The network time protocol (NTP) is used to synchronize the time on the computers in a network. Accurate time is necessary for the successful operation of time sensitive applications such as Active Directory or other directory services. By default, FreeNAS® is pre-configured to use three public NTP servers. If the network is using a directory service, ensure that the FreeNAS® system and the server running the directory service have been configured to use the same NTP servers.

Available NTP servers can be found at https://support.ntp.org/bin/view/Servers/NTPPoolServers. For time accuracy, choose NTP servers that are geographically close to the physical location of the FreeNAS® system.

Click System ➞ NTP Servers and ADD to add an NTP server. Figure 6.2.1 shows the configuration options. Table 6.2.1 summarizes the options available when adding or editing an NTP server. ntp.conf(5) explains these options in more detail.


Fig. 6.2.1 Add an NTP Server

Table 6.2.1 NTP Servers Configuration Options
Setting Value Description
Address string Enter the hostname or IP address of the NTP server.
Burst checkbox Recommended when Max. Poll is greater than 10. Only use on personal servers. Do not use with a public NTP server.
IBurst checkbox Speed up the initial synchronization, taking seconds rather than minutes.
Prefer checkbox This option is only recommended for highly accurate NTP servers, such as those with time monitoring hardware.
Min. Poll integer Minimum polling time in seconds. Must be a power of 2, and cannot be lower than 4 or higher than Max. Poll.
Max. Poll integer Maximum polling time in seconds. Must be a power of 2, and cannot be higher than 17 or lower than Min. Poll.
Force checkbox Force the addition of the NTP server, even if it is currently unreachable.

6.3. Boot Environments

FreeNAS® supports a ZFS feature known as multiple boot environments. With multiple boot environments, the process of updating the operating system becomes a low-risk operation. The updater automatically creates a snapshot of the current boot environment and adds it to the boot menu before applying the update.

If an update fails, reboot the system and select the previous boot environment, using the instructions in If Something Goes Wrong, to instruct the system to go back to that system state.


Boot environments are separate from the configuration database. Boot environments are a snapshot of the operating system at a specified time. When a FreeNAS® system boots, it loads the specified boot environment, or operating system, then reads the configuration database to load the current configuration values. If the intent is to make configuration changes rather than operating system changes, make a backup of the configuration database first using System ➞ General ➞ SAVE CONFIG.

As seen in Figure 6.3.1, FreeNAS® displays the condition and statistics of the Boot Pool. It also shows the two boot environments that are created when FreeNAS® is installed. The system will boot into the default boot environment and users can make their changes and update from this version. The Initial-Install boot environment can be booted into if the system needs to be returned to a non-configured version of the installation.


Fig. 6.3.1 Viewing Boot Environments

Each boot environment entry contains this information:

  • Name: the name of the boot entry as it will appear in the boot menu.
  • Active: indicates which entry will boot by default if the user does not select another entry in the boot menu.
  • Created: indicates the date and time the boot entry was created.
  • Space: displays the size of the boot environment.
  • Keep: indicates whether or not this boot environment can be pruned if an update does not have enough space to proceed. Click  (Options) and Keep for an entry if that boot environment should not be automatically pruned.

Click  (Options) on an entry to see these configuration buttons:

  • Delete: used to delete the highlighted entry, which also removes that entry from the boot menu. Since an activated entry cannot be deleted, this button does not appear for the active boot environment. To delete an entry that is currently activated, first activate another entry, which will clear the On reboot field of the currently activated entry. Note that this button does not appear for the default boot environment as this entry is needed to return the system to the original installation state.
  • Clone: makes a new boot environment from the selected boot environment.
  • Rename: used to change the name of the boot environment.
  • Activate: only appears on entries which are not currently set to Active. Changes the selected entry to the default boot entry on next boot. The status changes to Reboot and the current Active entry changes from Now/Reboot to Now, indicating that it was used on the last boot but will not be used on the next boot.
  • Keep: used to toggle whether or not the updater can prune (automatically delete) this boot environment if there is not enough space to proceed with the update.

There are also other options available.

  • Create: makes a new boot environment from the active environment. The active boot environment contains the text Now/Reboot in the Active column. Only alphanumeric characters, underscores, and dashes are allowed in the name.
  • Scrub: Scrub Boot Pool is used to perform a manual scrub of the operating system device. By default, the operating system device is scrubbed every 7 days. To change the default interval, change the number in the Automatic scrub interval (in days) field of the Boot Environments screen. The date and results of the last scrub are also listed in this screen. The condition of the operating system device should be listed as HEALTHY.
  • Status: click Boot Pool Status to see the status of the operating system device. Figure 6.3.2, shows only one operating system device, which is ONLINE.


Using Clone to clone the active boot environment functions the same as using Create.


Fig. 6.3.2 Viewing the Status of the Operating System Device

If the system has a mirrored boot pool, there will be a Detach option in addition to the Replace option. To remove a device from the boot pool, click  (Options) for the device and click Detach. Alternately, if one of the operating system devices has an OFFLINE Status, click the device to replace, then click Replace to rebuild the boot mirror.

Note that the |os-device| cannot be replaced if it is the only |os-device| because it contains the operating system itself.

6.3.1. Mirroring the Operating System Device

If the system is currently booting from a single operating system device, another device can be added to create a mirrored operating system device. If one device in a mirror fails, the remaining device can still be used to boot the system.


When adding another operating system device for a mirror, the new device must have at least the same capacity as the existing operating system device. Larger capacity devices can be added, but the mirror will only have the capacity of the smallest device. Different models of devices which advertise the same nominal size are not necessarily the same actual size. For this reason, adding another of the same model of operating system device is recommended.

In the example shown in Figure 6.3.3, the user has gone to System ➞ Boot Environments, and clicked the BOOT POOL STATUS button to display the current status of the operating system device. As shown in Figure 6.3.2, the freenas-boot pool is made of a single device, ada0p2. There is only one disk, indicated by the word stripe. To create a mirrored operating system device, click  (Options) then attach. If another device is available, it appears in the Member disk drop-down menu. Select the desired device.

The Use all disk space option gives control of how much of the new device is made available to ZFS. The new device is partitioned to the same size as the existing device by default. Select Use all disk space to use all available space on the new device. If either device in the mirror fails, it can be replaced with another of the same size as the original operating system device.

When Use all disk space is enabled, the entire capacity of the new device is used. If the original operating system device fails and is removed, the boot mirror will consist of just the newer drive, and will grow to whatever capacity it provides. However, new devices added to this mirror must now be as large as the new capacity.

Click SAVE to attach the new disk to the mirror.


Fig. 6.3.3 Mirroring an Operating System Device

After the mirror is created, the Boot Pool Status screen indicates that it is now a mirror. The number of devices in the mirror are shown as in Figure 6.3.4.


Fig. 6.3.4 Viewing the Status of a Mirrored Operating System Device

6.4. Advanced

System ➞ Advanced is shown in Figure 6.4.1. The configurable settings are summarized in Table 6.4.1.


Fig. 6.4.1 Advanced Screen

Table 6.4.1 Advanced Configuration Settings
Setting Value Description
Show Text Console without Password Prompt checkbox Set for the system to immediately display the text console after booting. Unset to require logging into the system before the console menu is shown.
Enable Serial Console checkbox Do not enable this option if the serial port is disabled. Adds the Serial Port and Serial Speed fields.
Serial Port string Select the serial port address in hex.
Serial Speed drop-down menu Select the speed in bps used by the serial port.
Swap size in GiB non-zero number By default, all data disks are created with this amount of swap. This setting does not affect log or cache devices as they are created without swap. Setting to 0 disables swap creation completely. This is strongly discouraged.
Enable autotune checkbox Enable the Autotune script which attempts to optimize the system based on the installed hardware. Warning: Autotuning is only used as a temporary measure and is not a permanent fix for system hardware issues.
Enable Debug Kernel checkbox Use a debug version of the kernel on the next boot.
Show console messages checkbox Set to display console messages in real time at bottom of browser. Click the console to bring up a scrollable screen. Enable the Stop refresh option in the scrollable screen to pause updating and deselect the option to continue to watch the messages as they occur.
MOTD banner string This message is shown when a user logs in with SSH.
Show tracebacks in case of fatal error checkbox Open a pop-up window of diagnostic information if a fatal error occurs.
Show advanced fields by default checkbox Show Advanced Mode fields by default.
Periodic Notification User drop-down menu Choose a user to receive security output emails. This output runs nightly, but only sends email when the system reboots or encounters an error.
Remote Graphite Server Hostname string IP address or hostname of a remote server running Graphite.
Use FQDN for logging checkbox Include the Fully-Qualified Domain Name (FQDN) in logs to precisely identify systems with similar hostnames.
Report CPU usage in percentage checkbox Display CPU usage as percentages in Reporting.
ATA Security User drop-down menu User passed to camcontrol security -u for unlocking SEDs. Values are User or Master.
SED Password string Global password used to unlock Self-Encrypting Drives.
Reset SED Password checkbox Select to clear the Password for SED column of Storage ➞ Disks.

Click the SAVE button after making any changes.

This tab also contains this button:

SAVE DEBUG: used to generate text files that contain diagnostic information. After the debug data is collected, the system prompts for a location to save the compressed .tgz file.

6.4.1. Autotune

FreeNAS® provides an autotune script which optimizes the system depending on the installed hardware. For example, if a pool exists on a system with limited RAM, the autotune script automatically adjusts some ZFS sysctl values in an attempt to minimize memory starvation issues. It should only be used as a temporary measure on a system that hangs until the underlying hardware issue is addressed by adding more RAM. Autotune will always slow such a system, as it caps the ARC.

The Enable autotune option in System ➞ Advanced is off by default. Enable this option to run the autotuner at boot. To run the script immediately, reboot the system.

If the autotune script adjusts any settings, the changed values appear in System ➞ Tunables. These values can be modified and overridden. Note that deleting tunables that were created by autotune only affects the current session, as autotune-set tunables are recreated at boot.

When attempting to increase the performance of the FreeNAS® system, and particularly when the current hardware may be limiting performance, try enabling autotune.

For those who wish to see which checks are performed, the autotune script is located in /usr/local/bin/autotune.

6.4.2. Self-Encrypting Drives

FreeNAS® version 11.1-U5 introduced Self-Encrypting Drive (SED) support.

These SED specifications are supported:

  • Legacy interface for older ATA devices. Not recommended for security-critical environments

  • TCG Opal 1 legacy specification

  • TCG OPAL 2 standard for newer consumer-grade devices

  • TCG Opalite is a reduced form of OPAL 2

  • TCG Pyrite Version 1 and Version 2 are similar to Opalite, but hardware encryption is removed. Pyrite provides a logical equivalent of the legacy ATA security for non-ATA devices. Only the drive firmware is used to protect the device.


    Pyrite Version 1 SEDs do not have PSID support and can become unusable if the password is lost.

  • TCG Enterprise is designed for systems with many data disks. These SEDs do not have the functionality to be unlocked before the operating system boots.

See this Trusted Computing Group® and NVM Express® joint white paper for more details about these specifications.

FreeNAS® implements the security capabilities of camcontrol for legacy devices and sedutil-cli for TCG devices. When managing a SED from the command line, it is important to use sedutil-cli rather than camcontrol to access the full capabilities of the device. FreeNAS® provides the sedhelper wrapper script to ease SED administration from the command line.

By default, SEDs are not locked until the administrator takes ownership of them. Ownership is taken by explicitly configuring a global or per-device password in the FreeNAS® web interface and adding the password to the SEDs.

A password-protected SED protects the data stored on the device when the device is physically removed from the FreeNAS® system. This allows secure disposal of the device without having to first wipe the contents. Repurposing a SED on another system requires the SED password. Deploying SEDs

Run sedutil-cli --scan in the Shell to detect and list devices. The second column of the results identifies the drive type:

  • no indicates a non-SED device
  • 1 indicates a legacy TCG OPAL 1 device
  • 2 indicates a modern TCG OPAL 2 device
  • L indicates a TCG Opalite device
  • p indicates a TCG Pyrite 1 device
  • P indicates a TCG Pyrite 2 device
  • E indicates a TCG Enterprise device


root@truenas1:~ # sedutil-cli --scan
Scanning for Opal compliant disks
/dev/ada0  No  32GB SATA Flash Drive SFDK003L
/dev/ada1  No  32GB SATA Flash Drive SFDK003L
/dev/da0   No  HGST    HUS726020AL4210  A7J0
/dev/da1   No  HGST    HUS726020AL4210  A7J0
/dev/da10    E WDC     WUSTR1519ASS201  B925
/dev/da11    E WDC     WUSTR1519ASS201  B925

FreeNAS® supports setting a global password for all detected SEDs or setting individual passwords for each SED. Using a global password for all SEDs is strongly recommended to simplify deployment and avoid maintaining separate passwords for each SED. Setting a global password for SEDs

Go to System ➞ Advanced ➞ SED Password and enter the password. Record this password and store it in a safe place!

Now the SEDs must be configured with this password. Go to the Shell and enter sedhelper setup password, where password is the global password entered in System ➞ Advanced ➞ SED Password.

sedhelper ensures that all detected SEDs are properly configured to use the provided password:

root@truenas1:~ # sedhelper setup abcd1234
da9                  [OK]
da10                 [OK]
da11                 [OK]

Rerun sedhelper setup password every time a new SED is placed in the system to apply the global password to the new SED. Creating separate passwords for each SED

Go to Storage ➞ Disks. Click  (Options) for the confirmed SED, then Edit. Enter and confirm the password in the SED Password and Confirm SED Password fields.

The Storage ➞ Disks screen shows which disks have a configured SED password. The SED Password column shows a mark when the disk has a password. Disks that are not a SED or are unlocked using the global password are not marked in this column.

The SED must be configured to use the new password. Go to the Shell and enter sedhelper setup --disk da1 password, where da1 is the SED to configure and password is the created password from Storage ➞ Disks ➞ Edit Disks ➞ SED Password.

This process must be repeated for each SED and any SEDs added to the system in the future.


Remember SED passwords! If the SED password is lost, SEDs cannot be unlocked and their data is unavailable. While it is possible to specify the PSID number on the label of the device with sedutil-cli, doing so erases the contents of the device rather than unlock it. Always record SED passwords whenever they are configured or modified and store them in a secure place! Check SED Functionality

When SED devices are detected during system boot, FreeNAS® checks for configured global and device-specific passwords.

Unlocking SEDs allows a pool to contain a mix of SED and non-SED devices. Devices with individual passwords are unlocked with their password. Devices without a device-specific password are unlocked using the global password.

To verify SED locking is working correctly, go to the Shell. Enter sedutil-cli --listLockingRange 0 password dev/da1, where da1 is the SED and password is the global or individual password for that SED. The command returns ReadLockEnabled: 1, WriteLockEnabled: 1, and LockOnReset: 1 for drives with locking enabled:

root@truenas1:~ # sedutil-cli --listLockingRange 0 abcd1234 /dev/da9
    Name:            Global_Range
    CommonName:      Locking
    RangeStart:      0
    RangeLength:     0
    ReadLockEnabled: 1
    ReadLocked:      0
    WriteLocked:     0
    LockOnReset:     1

6.5. Email

An automatic script sends a nightly email to the root user account containing important information such as the health of the disks. Alert events are also emailed to the root user account. Problems with Scrub Tasks are reported separately in an email sent at 03:00AM.


S.M.A.R.T. reports are mailed separately to the address configured in that service.

The administrator typically does not read email directly on the FreeNAS® system. Instead, these emails are usually sent to an external email address where they can be read more conveniently. It is important to configure the system so it can send these emails to the administrator’s remote email account so they are aware of problems or status changes.

The first step is to set the remote address where email will be sent. Go to Accounts ➞ Users, click  (Options) and Edit for the root user. In the Email field, enter the email address on the remote system where email is to be sent, like admin@example.com. Click SAVE to save the settings.

Additional configuration is performed with System ➞ Email, shown in Figure 6.5.1.


Fig. 6.5.1 Email Screen

Table 6.5.1 Email Configuration Settings
Setting Value Description
From email string The envelope From address shown in the email. This can be set to make filtering mail on the receiving system easier. The friendly name is set like this: Friendly Name <address@example.com>
Outgoing Mail Server string or IP address Hostname or IP address of SMTP server used for sending this email.
Mail Server Port integer SMTP port number. Typically 25, 465 (secure SMTP), or 587 (submission).
Security drop-down menu Choose an encryption type. Choices are Plain (No Encryption), SSL (Implicit TLS), or TLS (STARTTLS).
SMTP Authentication checkbox Enable or disable SMTP AUTH using PLAIN SASL. If enabled, enter the required Username and Password.
Username string Enter the SMTP username if the SMTP server requires authentication.
Password string Enter the SMTP password if the SMTP server requires authentication. Only plain text characters (7-bit ASCII) are allowed in passwords. UTF or composed characters are not allowed.

Click the SEND MAIL button to verify that the configured email settings are working. If the test email fails, double-check that the Email field of the root user is correctly configured by clicking the Edit button for the root account in Accounts ➞ Users.

Configuring email for TLS/SSL email providers is described in Are you having trouble getting FreeNAS to email you in Gmail?.


The FreeNAS® user who receives periodic email is set in the Periodic Notification User field in System ➞ Advanced.

6.6. System Dataset

System ➞ System Dataset, shown in Figure 6.6.1, is used to select the pool which contains the persistent system dataset. The system dataset stores debugging core files and Samba4 metadata such as the user/group cache and share level permissions. If the FreeNAS® system is configured to be a Domain Controller, all of the domain controller state is stored there as well, including domain controller users and groups.


When the system dataset is moved, a new dataset is created and set active. The old dataset is intentionally not deleted by the system because the move might be temporary or the information in the old dataset might be useful for later recovery.


Fig. 6.6.1 System Dataset Screen

Use the System Dataset Pool drop-down menu to select the volume (pool) to contain the system dataset. The system dataset can be moved to unencrypted volumes (pools) or encrypted volumes which do not have passphrases. If the system dataset is moved to an encrypted volume, that volume is no longer allowed to be locked or have a passphrase set.

Moving the system dataset also requires restarting the SMB service. A dialog warns that the SMB service must be restarted, causing a temporary outage of any active SMB connections.

System logs and the reporting database can also be stored on the system dataset. Storing this information on the system dataset is recommended when large amounts of data is being generated and the system has limited memory or a limited capacity operating system device.

Set Syslog to store system logs on the system dataset. Leave unset to store system logs in /var on the operating system device.

Set Reporting Database to store Reporting data on the system dataset. Leave unset to create a /temp disk in RAM to store the reporting database.

Click SAVE to save changes.

If the pool storing the system dataset is changed at a later time, FreeNAS® migrates the existing data in the system dataset to the new location.


Depending on configuration, the system dataset can occupy a large amount of space and receive frequent writes. Do not put the system dataset on a flash drive or other media with limited space or write life.

6.7. Alert Services

FreeNAS® can use a number of methods to notify the administrator of system events that require attention. These events are system Alerts.

Available alert services:


These alert services might use a third party commercial vendor not directly affiliated with iXsystems. Please investigate and fully understand that vendor’s pricing policies and services before using their alert service. iXsystems is not responsible for any charges incurred from the use of third party vendors with the Alert Services feature.

Select System ➞ Alert Services to show the Alert Services screen, Figure 6.7.1.


Fig. 6.7.1 Alert Services

Click ADD to display the Add Alert Service form, Figure 6.7.2.


Fig. 6.7.2 Add Alert Service

Select the Type to choose an alert service to configure. The configurable fields and required information differ for each alert service. Set Enabled to activate the service. Enter any other required information and click SAVE.

Configure which alerts are sent to the alert service by clicking SHOW SETTINGS.

Click SENDS TEST ALERT to test the configured service.

All saved alert services are displayed in System ➞ Alert Services. To delete an alert service, click  (Options) and Delete. To disable an alert service temporarily, click  (Options) and Edit, then unset the Enabled option.

6.8. Alert Settings

System ➞ Alert Settings displays the notification frequency for each type of Alert. An example is shown in Figure 6.8.1.


Fig. 6.8.1 Configure Alert Notification Frequency

To change the notification frequency of an alert, click its drop-down menu and select IMMEDIATELY, HOURLY, DAILY, or NEVER.


To configure where alerts are sent, use Alert Services.

6.9. Cloud Credentials

FreeNAS® can use cloud services for features like Cloud Sync Tasks. The credentials to provide secure connections with cloud services are entered here. Amazon S3, Backblaze B2, Box, Dropbox, FTP, Google Cloud Storage, Google Drive, HTTP, hubiC, Mega, Microsoft Azure Blob Storage, Microsoft OneDrive, pCloud, SFTP, WebDAV, and Yandex are supported.


The hubiC cloud service has suspended creation of new accounts.


Cloud Credentials are stored in encrypted form. To be able to restore Cloud Credentials from a saved configuration, “Export Password Secret Seed” must be set when saving that configuration.

Click System ➞ Cloud Credentials to see the screen shown in Figure 6.9.1.


Fig. 6.9.1 Cloud Credentials List

The list shows the Account Name and Provider for each credential. There are options to Edit and Delete a credential after clicking  (Options) for a credential.

Click ADD to add a new cloud credential. Choose a Provider to display any specific options for that provider. Figure 6.9.2 shows the form for an Amazon S3 provider:


Fig. 6.9.2 Add Amazon S3 Credential

Enter a descriptive and unique name for the cloud credential in the Name field. The remaining options vary by Provider, and are shown in Table 6.9.1.

Table 6.9.1 Cloud Credential Options
Provider Setting Description
Amazon S3 Access Key ID Enter the Amazon Web Services Key ID. This is found on Amazon AWS by going through My account –> Security Credentials –> Access Keys.
Amazon S3 Secret Access Key Enter the Amazon Web Services password. If the Secret Access Key cannot be found or remembered, go to My Account –> Security Credentials –> Access Keys and create a new key pair.
Amazon S3 Endpoint URL Set Advanced Settings to access this option. S3 API endpoint URL. When using AWS, the endpoint field can be empty to use the default endpoint for the region, and available buckets are automatically fetched. Refer to the AWS Documentation for a list of Simple Storage Service Website Endpoints.
Amazon S3 Disable Endpoint Region Set Advanced Settings to access this option. Skip automatic detection of the Endpoint URL region. Set this when configuring a custom Endpoint URL.
Amazon S3 Use Signature Version 2 Set Advanced Settings to access this option. Force using Signature Version 2 to sign API requests. Set this when configuring a custom Endpoint URL.
Backblaze B2 Account ID or Application Key ID, Master Application Key or Application Key Enter the Account ID and Master Application Key for the Backblaze B2 account. These are visible after logging into the account, clicking Buckets, and clicking Show Account ID and Application Key. An Application Key with limited permissions can be used in place of the Account ID and Master Application Key. Create a new Application Key and enter the key string in place of the Master Application Key and replace the Account ID with the keyID.
Box Automatic config, OAuth Client ID, OAuth Client Secret, Access Token Configured with Open Authentication.
Dropbox Automatic config OAuth Client ID, OAuth Client Secret, Access Token

Configured with Open Authentication.

The access token can be manually created by going to the Dropbox App Console. After creating an app, go to Settings and click Generate under the Generated access token field.

FTP Host, Port Enter the FTP host and port.
FTP Username, Password Enter the FTP username and password.
Google Cloud Storage JSON Service Account Key Browse to the location of the saved Google Cloud Storage key and select it.
Google Drive Access Token, Team Drive ID Enter the Google Drive Access Token. Team Drive ID is only used when connecting to a Team Drive. The ID is also the ID of the top level folder of the Team Drive.
HTTP URL Enter the URL.
hubiC Access Token Enter the access token.
Mega Username, Password Enter the Mega username and password.
Microsoft Azure Blob Storage Account Name, Account Key Enter the Azure Blob Storage account name and key.
Microsoft OneDrive Automatic config, OAuth Client ID, OAuth Client Secret, Access Token, Drive Account Type, Drive ID

OAuth Client ID, OAuth Client Secret, and Access Token are configured with Open Authentication.

Choose the account type: PERSONAL, BUSINESS, or SharePoint DOCUMENT_LIBRARY.

To find the Drive ID, log in to the OneDrive account and copy the string that appears in the browser address bar after cid=. Example: https://onedrive.live.com/?id=root&cid=12A34567B89C10D1, where 12A34567B89C10D1 is the drive ID.

pCloud Automatic config, OAuth Client ID, OAuth Client Secret, Access Token Configured with Open Authentication.
SFTP Host, Port, Username, Password, PEM-encoded private key file path Enter the SFTP host, port, and username. Enter a password or PEM-encoded private key file path.
WebDAV URL, WebDAV service Enter the URL and use the dropdown to select the WebDAV service.
WebDAV Username, Password Enter the username and password.
Yandex Automatic config, OAuth Client ID, OAuth Client Secret, Access Token Configured with Open Authentication.

Additional fields are displayed after Provider is selected. For Amazon S3, Access Key and Secret Key are shown. These values are found on the Amazon AWS website by clicking on the account name, then My Security Credentials and Access Keys (Access Key ID and Secret Access Key). Copy the Access Key value to the FreeNAS® Cloud Credential Access Key field, then enter the Secret Key value saved when the key pair was created. If the Secret Key value is unknown, a new key pair can be created on the same Amazon screen.

The Google Cloud Storage JSON Service Account Key is found on the Google Cloud Platform Console.

Open Authentication (OAuth) is used with some cloud providers. These providers have an Automatic config link that opens a new browser tab to log in to that provider and fill the FreeNAS® OAuth Client ID, OAuth Client Secret, and Access Token fields with valid credentials.

More details about individual Provider settings are available in the rclone documentation.

6.10. Tunables

System ➞ Tunables can be used to manage:

  1. FreeBSD sysctls: a sysctl(8) makes changes to the FreeBSD kernel running on a FreeNAS® system and can be used to tune the system.
  2. FreeBSD loaders: a loader is only loaded when a FreeBSD-based system boots and can be used to pass a parameter to the kernel or to load an additional kernel module such as a FreeBSD hardware driver.
  3. FreeBSD rc.conf options: rc.conf(5) is used to pass system configuration options to the system startup scripts as the system boots. Since FreeNAS® has been optimized for storage, not all of the services mentioned in rc.conf(5) are available for configuration. Note that in FreeNAS®, customized rc.conf options are stored in /tmp/rc.conf.freenas.


Adding a sysctl, loader, or rc.conf option is an advanced feature. A sysctl immediately affects the kernel running the FreeNAS® system and a loader could adversely affect the ability of the FreeNAS® system to successfully boot. Do not create a tunable on a production system before testing the ramifications of that change.

Since sysctl, loader, and rc.conf values are specific to the kernel parameter to be tuned, the driver to be loaded, or the service to configure, descriptions and suggested values can be found in the man page for the specific driver and in many sections of the FreeBSD Handbook.

To add a loader, sysctl, or rc.conf option, go to System ➞ Tunables and click ADD to access the screen shown in Figure 6.10.1.


Fig. 6.10.1 Adding a Tunable

Table 6.10.1 summarizes the options when adding a tunable.

Table 6.10.1 Adding a Tunable
Setting Value Description
Variable string The name of the sysctl or driver to load.
Value integer or string Set a value for the Variable. Refer to the man page for the specific driver or the FreeBSD Handbook for suggested values.
Type drop-down menu Choices are Loader, rc.conf, and Sysctl.
Comment string Optional. Enter a description of this tunable.
Enabled checkbox Deselect this option to disable the tunable without deleting it.


As soon as a Sysctl is added or edited, the running kernel changes that variable to the value specified. However, when a Loader or rc.conf value is changed, it does not take effect until the system is rebooted. Regardless of the type of tunable, changes persist at each boot and across upgrades unless the tunable is deleted or the Enabled option is deselected.

Existing tunables are listed in System ➞ Tunables. To change the value of an existing tunable, click  (Options) and Edit. To remove a tunable, click  (Options) and Delete.

Restarting the FreeNAS® system after making sysctl changes is recommended. Some sysctls only take effect at system startup, and restarting the system guarantees that the setting values correspond with what is being used by the running system.

The web interface does not display the sysctls that are pre-set when FreeNAS® is installed. FreeNAS® 11.2 ships with the sysctls set:


Do not add or edit these default sysctls as doing so may render the system unusable.

The web interface does not display the loaders that are pre-set when FreeNAS® is installed. FreeNAS® 11.2 ships with these loaders set:

loader_menu_title="Welcome to FreeNAS"
loader_version=" "

Do not add or edit the default tunables. Changing the default tunables can make the system unusable.

The ZFS version used in 11.2 deprecates these tunables:


After upgrading from an earlier version of FreeNAS®, these tunables are automatically deleted. Please do not manually add them back.

6.11. Update

FreeNAS® has an integrated update system to make it easy to keep up to date.

6.11.1. Preparing for Updates

It is best to perform updates at times the FreeNAS® system is idle, with no clients connected and no scrubs or other disk activity going on. Most updates require a system reboot. Plan updates around scheduled maintenance times to avoid disrupting user activities.

The update process will not proceed unless there is enough free space in the boot pool for the new update files. If a space warning is shown, use Boot Environments to remove unneeded boot environments.

6.11.2. Updates and Trains

Cryptographically signed update files are used to update FreeNAS®. Update files provide flexibility in deciding when to upgrade the system. Boot environments make it possible to test an update.

FreeNAS® defines software branches, known as trains. There are several trains available for updates, but the web interface only displays trains that can be selected as an upgrade.

Update trains are labeled with a numeric version followed by a short description. The current version receives regular bug fixes and new features. Supported older versions of FreeNAS® only receive maintenance updates. Several specific words are used to describe the type of train:

  • STABLE: Bug fixes and new features are available from this train. Upgrades available from a STABLE train are tested and ready to apply to a production environment.
  • Nightlies: Experimental train used for testing future versions of FreeNAS®.
  • SDK: Software Developer Kit train. This has additional tools for testing and debugging FreeNAS®.


The UI will warn if the currently selected train is not suited for production use. Before using a non-production train, be prepared to experience bugs or problems. Testers are encouraged to submit bug reports at https://bug.ixsystems.com.

6.11.3. Checking for Updates

Figure 6.11.1 shows an example of the System ➞ Update screen.


Fig. 6.11.1 Update Options

The system checks daily for updates and downloads an update if one is available. An alert is issued when a new update becomes available. The automatic check and download of updates is disabled by unsetting Check for Updates Daily and Download if Available. Click  (Refresh) to perform another check for updates.

To change the train, use the drop-down menu to make a different selection.


The train selector does not allow downgrades. For example, the STABLE train cannot be selected while booted into a Nightly boot environment, or a 9.10 train cannot be selected while booted into a 11 boot environment. To go back to an earlier version after testing or running a more recent version, reboot and select a boot environment for that earlier version. This screen can then be used to check for updates that train.

In the example shown in Figure 6.11.2, information about the update is displayed along with a link to the release notes. It is important to read the release notes before updating to determine if any of the changes in that release impact the use of the system.


Fig. 6.11.2 Reviewing Updates

6.11.4. Saving the Configuration File

A dialog to save the system configuration file appears before installing updates.



The Save Configuration dialog can be disabled in  (Settings) Preferences, although this is not recommended. Saving backups of configuration files allows recovery of the system after an operating system device failure.


Keep the system configuration file secure after saving it. The security information in the configuration file could be used for unauthorized access to the FreeNAS® system.

6.11.5. Applying Updates

Make sure the system is in a low-usage state as described above in Preparing for Updates.

Click FETCH AND INSTALL UPDATES to immediately download and install an update.

The Save Configuration dialog appears so the current configuration can be saved to external media.

A confirmation window appears before the update is installed. When Apply updates and reboot system after downloading is set and, clicking CONTINUE downloads, applies the updates, and then automatically reboots the system. The update can be downloaded for a later manual installation by unsetting the Apply updates and reboot system after downloading option.

APPLY PENDING UPDATE is visible when an update is downloaded and ready to install. Click the button to see a confirmation window. Setting Confirm and clicking CONTINUE installs the update and reboots the system.


Each update creates a boot environment. If the update process needs more space, it attempts to remove old boot environments. Boot environments marked with the Keep attribute as shown in Boot Environments will not be removed. If space for a new boot environment is not available, the upgrade fails. Space on the operating system device can be manually freed using System ➞ Boot Environments. Review the boot environments and remove the Keep attribute or delete any boot environments that are no longer needed.

During the update process a progress dialog appears. Do not interrupt the update until it completes.

6.11.6. Manual Updates

Updates can also be manually downloaded and applied in System ➞ Update.


Manual updates cannot be used to upgrade from older major versions.

Go to https://download.freenas.org/ and find an update file of the desired version. Manual update file names end with -manual-update-unsigned.tar.

Download the file to a desktop or laptop computer. Connect to FreeNAS® with a browser and go to System ➞ Update. Click INSTALL MANUAL UPDATE FILE.

The Save Configuration dialog opens. This makes it possible to save a copy of the current configuration to external media for backup in case of an update problem.

After the dialog closes, the manual update screen is shown:


The current version of FreeNAS® is shown for verification.

Select the manual update file with the Browse button. Set Reboot After Update to reboot the system after the update has been installed. Click APPLY UPDATE to begin the update. A progress dialog is displayed during the update. Do not interrupt the update.

6.12. CAs

FreeNAS® can act as a Certificate Authority (CA). When encrypting SSL or TLS connections to the FreeNAS® system, either import an existing certificate, or create a CA on the FreeNAS® system, then create a certificate. This certificate will appear in the drop-down menus for services that support SSL or TLS.

For secure LDAP, the public key of an existing CA can be imported with Import CA, or a new CA created on the FreeNAS® system and used on the LDAP server also.

Figure 6.12.1 shows the screen after clicking System ➞ CAs.


Fig. 6.12.1 Initial CA Screen

If the organization already has a CA, the CA certificate and key can be imported. Click ADD and set the Type to Import CA to see the configuration options shown in Figure 6.12.2. The configurable options are summarized in Table 6.12.1.


Fig. 6.12.2 Importing a CA

Table 6.12.1 Importing a CA Options
Setting Value Description
Identifier string Enter a descriptive name for the CA using only alphanumeric, underscore (_), and dash (-) characters.
Type drop-down menu Choose the type of CA. Choices are Internal CA, Intermediate CA, and Import CA.
Certificate string Mandatory. Paste in the certificate for the CA.
Private Key string If there is a private key associated with the Certificate, paste it here. Private keys must be at least 1024 bits long.
Passphrase string If the Private Key is protected by a passphrase, enter it here and repeat it in the “Confirm Passphrase” field.

To create a new CA, first decide if it will be the only CA which will sign certificates for internal use or if the CA will be part of a certificate chain.

To create a CA for internal use only, click ADD and set the Type to Internal CA. Figure 6.12.3 shows the available options.


Fig. 6.12.3 Creating an Internal CA

The configurable options are described in Table 6.12.2. When completing the fields for the certificate authority, supply the information for the organization.

Table 6.12.2 Internal CA Options
Setting Value Description
Identifier string Enter a descriptive name for the CA using only alphanumeric, underscore (_), and dash (-) characters.
Type drop-down menu Choose the type of CA. Choices are Internal CA, Intermediate CA, and Import CA.
Key Length drop-down menu For security reasons, a minimum of 2048 is recommended.
Digest Algorithm drop-down menu The default is acceptable unless the organization requires a different algorithm.
Lifetime integer The lifetime of a CA is specified in days.
Country drop-down menu Select the country for the organization.
State string Enter the state or province of the organization.
Locality string Enter the location of the organization.
Organization string Enter the name of the company or organization.
Email string Enter the email address for the person responsible for the CA.
Common Name string Enter the fully-qualified hostname (FQDN) of the system. The Common Name must be unique within a certificate chain.
Subject Alternate Names string Multi-domain support. Enter additional space separated domain names.

To create an intermediate CA which is part of a certificate chain, set the Type to Intermediate CA. This screen adds one more option to the screen shown in Figure 6.12.3:

  • Signing Certificate Authority: this drop-down menu is used to specify the root CA in the certificate chain. This CA must first be imported or created.

Imported or created CAs are added as entries in System ➞ CAs. The columns in this screen indicate the name of the CA, whether it is an internal CA, whether the issuer is self-signed, the CA lifetime (in days), the common name of the CA, the date and time the CA was created, and the date and time the CA expires.

Click  (Options) on an existing CA to access these configuration buttons:

  • View: use this option to view the contents of an existing Certificate, Private Key, or to edit the Identifier.
  • Sign CSR: used to sign internal Certificate Signing Requests created using System ➞ Certificates ➞ Create CSR.
  • Export Certificate: prompts to browse to the location to save a copy of the CA’s X.509 certificate on the computer being used to access the FreeNAS® system.
  • Export Private Key: prompts to browse to the location to save a copy of the CA’s private key on the computer being used to access the FreeNAS® system. This option only appears if the CA has a private key.
  • Delete: prompts for confirmation before deleting the CA.

6.13. Certificates

FreeNAS® can import existing certificates, create new certificates, and issue certificate signing requests so that created certificates can be signed by the CA which was previously imported or created in CAs.

Figure 6.13.1 shows the initial screen after clicking System ➞ Certificates.


Fig. 6.13.1 Initial Certificates Screen

To import an existing certificate, click ADD and set the Type to Import Certificate. Figure 6.13.2 shows the options. When importing a certificate chain, paste the primary certificate, followed by any intermediate certificates, followed by the root CA certificate.

The configurable options are summarized in Table 6.13.1.


Fig. 6.13.2 Importing a Certificate

Table 6.13.1 Certificate Import Options
Setting Value Description
Identifier string Enter a descriptive name for the certificate using only alphanumeric, underscore (_), and dash (-) characters.
Type drop-down menu Choose the type of certificate. Choices are Internal Certificate, Certificate Signing Request, and Import Certificate.
Certificate string Paste the contents of the certificate.
Private Key string Paste the private key associated with the certificate. Private keys must be at least 1024 bits long.
Passphrase string If the private key is protected by a passphrase, enter it here and repeat it in the Confirm Passphrase field.

To create a new self-signed certificate, set the Type to Internal Certificate to see the options shown in Figure 6.13.3. The configurable options are summarized in Table 6.13.2. When completing the fields for the certificate authority, use the information for the organization. Since this is a self-signed certificate, use the CA that was imported or created with CAs as the signing authority.


Fig. 6.13.3 Creating a New Certificate

Table 6.13.2 Certificate Creation Options
Setting Value Description
Identifier string Enter a descriptive name for the certificate using only alphanumeric, underscore (_), and dash (-) characters.
Type drop-down menu Choose the type of certificate. Choices are Internal Certificate, Certificate Signing Request, and Import Certificate.
Signing Certificate Authority drop-down menu Select the CA which was previously imported or created using CAs.
Key Length drop-down menu For security reasons, a minimum of 2048 is recommended.
Digest Algorithm drop-down menu The default is acceptable unless the organization requires a different algorithm.
Lifetime integer The lifetime of the certificate is specified in days.
Country drop-down menu Select the country for the organization.
State string State or province of the organization.
Locality string Location of the organization.
Organization string Name of the company or organization.
Email string Enter the email address for the person responsible for the CA.
Common Name string Enter the fully-qualified hostname (FQDN) of the system. The Common Name must be unique within a certificate chain.
Subject Alternate Names string Multi-domain support. Enter additional domain names and separate them with a space.

If the certificate is signed by an external CA, such as Verisign, instead create a certificate signing request. To do so, set the Type to Certificate Signing Request. The options from Figure 6.13.3 display, but without the Signing Certificate Authority and Lifetime fields.

Certificates that are imported, self-signed, or for which a certificate signing request is created are added as entries to System ➞ Certificates. In the example shown in Figure 6.13.4, a self-signed certificate and a certificate signing request have been created for the fictional organization My Company. The self-signed certificate was issued by the internal CA named My Company and the administrator has not yet sent the certificate signing request to Verisign so that it can be signed. Once that certificate is signed and returned by the external CA, it should be imported with a new certificate set to Import Certificate. This makes the certificate available as a configurable option for encrypting connections.


Fig. 6.13.4 Managing Certificates

Clicking  (Options) for an entry shows these configuration buttons:

  • View: use this option to view the contents of an existing Certificate, Private Key, or to edit the Identifier.
  • Export Certificate saves a copy of the certificate or certificate signing request to the system being used to access the FreeNAS® system. For a certificate signing request, send the exported certificate to the external signing authority so that it can be signed.
  • Export Private Key saves a copy of the private key associated with the certificate or certificate signing request to the system being used to access the FreeNAS® system.
  • Delete is used to delete a certificate or certificate signing request.

6.14. Support

The FreeNAS® Support option, shown in Figure 6.14.1, provides a built-in ticketing system for generating bug reports and feature requests.


Fig. 6.14.1 Support Menu

This screen provides a built-in interface to the FreeNAS® issue tracker located at https://bug.ixsystems.com. When using FreeNAS® bug tracker for the first time, go to that website, click the Register link, fill out the form, and reply to the registration email. This will create a username and password which can be used to create bug reports and receive notifications as the reports are actioned.

Before creating a bug report or feature request, ensure that an existing report does not already exist at https://bug.ixsystems.com. If a similar issue is already present and has not been marked Closed or Resolved, comment on that issue, adding new information to help solve it. If similar issues have already been Closed or Resolved, create a new issue and refer to the previous issue.


Update the system to the latest version of STABLE and retest before reporting an issue. Newer versions of the software might have already fixed the problem.

To generate a report using the built-in Support screen, complete these fields:

  • Username: enter the login name created when registering at https://bug.ixsystems.com.
  • Password: enter the password associated with the registered login name.
  • Type: select Bug when reporting an issue or Feature when requesting a new feature.
  • Category: this drop-down menu is empty until a registered Username and Password are entered. The field remains empty if either value is incorrect. After the Username and Password are validated, possible categories are populated to the drop-down menu. Select the one that best describes the bug or feature being reported.
  • Attach Debug: enabling this option is recommended so an overview of the system hardware, build string, and configuration is automatically generated and included with the ticket. Generating and attaching a debug to the ticket can take some time. An error will occur if the debug is more than the file size limit of 20 Mib.
  • Subject: enter a descriptive title for the ticket. A good Subject makes it easy to find similar reports.
  • Description: enter a one- to three-paragraph summary of the issue that describes the problem, and if applicable, what steps can be taken to reproduce it.

Click SUBMIT to automatically generate and upload the report to the bug tracker. This process can take several minutes while information is collected and sent.

After the new ticket is created, the ticket URL is shown for viewing or updating with more information.