In my homelab I currently own a Synology NAS (DS1819+) with a 6-disk array in SHR-2 (equivalent to RAID6, i.e. 2-disk redundancy) with Btrfs as the file system. Soon (once the ordered hardware will arrive) I’m going to setup a box with TrueNAS Scale (v24.10 on bare metal) with a 4-disk HDD vdev in RAIDz2 (and join the cult with integrity ).
On my current Synology setup I use passphrase encryption for the shared folders (which seem to be the equivalent thing to ZFS’ datasets, except they cannot be nested in Synology) and for certain system folders, such as the docker folder.
The only downside currently is that - upon reboot - I have to enter a passphrase 4 times (once for each encrypted shared folder) and it seems on TrueNAS/ZFS that won’t be a problem, if I use nested encrypted datasets.
And FWIW I currently also have to shut down and restart docker on my NAS, after unlocking the shared folders, since I’ve also encrypted the docker folder (and that is totally fine with me).
If I understand things correctly, there would be - in principle - two ways to set up passphrase encryption on TrueNAS Scale:
- Passphrase encryption on “root” dataset
tank -> Passphrase encrypted dataset (DS)
tank/nas -> DS inherits encryption (shared to clients)
tank/media -> DS inherits encryption (shared to clients)
tank/docker -> DS inherits encryption
...
- Intermittent dataset as ancestor of all encrypted datasets
tank -> Encrypted or not (?)
tank/vault -> Passphrase encrypted DS as the ancestor of all encrypted datasets (not shared)
tank/vault/nas -> DS inherits encryption (shared to clients)
tank/vault/media -> DS inherits encryption (shared to clients)
tank/vault/docker -> DS inherits encryption
...
If I understand things correctly, encrypting the “root” dataset with a passphrase requires moving off the system dataset to another volume (e.g. the bootdrive), whereas the second approach does not require that, it just has that extra parent node for encryption, which is just there to unlock all encrypted datasets with one action and a single passphrase.
So here are my questions:
-
Since I won’t be mirroring the boot drive, there is of course the potential of the system dataset getting lost, if I use option #1. Would a regular (external) backup of the system configuration be sufficient to mitigate this or does the system system dataset contain more stuff than is contained in the backup of the system configuration?
-
Also I have a pair of Intel Optane P1600X (58G) SSDs that I plan to use in mirrored mode as an SLOG vdev. Would it be possible to use those drives to additionally store the system dataset (out of the box, without any shenanigans that are not natively supported in TrueNAS) or is the SLOG vdev exclusively for SLOG usage in TrueNAS?
-
And finally: Which of the two options (or perhaps a third one altogether) would you use and why? And if it’s #2 with the intermittent dataset, would you still encrypt the root dataset (with a key) or not?
I hope I provided all the pertinent info, but I’m new to this, so please let me know, If I need to specify anything else.
Thanks in advance for any advice on this matter.