fren shaped

After doing some reading, it seems TrueNAS does not support LUKS at all. So with encrypted datasets the data is protected when a single drive gets stolen out of a server, or returned/sold/decomissioned, but when the whole server gets stolen, it boots right up and unlocks any encrypted drives with the on board encryption keys. You can argue how big that issue practically is when the server is locked up in a datacenter, but in the world at large, that's definitely not acceptable. I hope HexOS can improve on this situation, as many home servers will be small boxes that are portable enough. It walking off is one of the more likely threats, after hardware failure and misconfiguration perhaps.

I want to add that I realize that there's a difference between encrypting your dataset, and full disk/system encryption. Encrypting your datasets prevents people from stealing your data and is arguably the most vital. Full disk encryption/system encryption prevents access to any and all (meta)data that might be on the system drive, and helps with boot disk warranty returns and decomissioning. The threat model is slightly different, but also partially overlaps, and I'd consider both valuable additions. If dataset encryption could be inherited from the system encryption in the same way a dataset can inherit encryption from a parent in TrueNAS, things would be pretty straightforward and easy to wrap your head around. Manually setting up full disk LUKS encryption is incredibly flexible, but once you start working with multiple drives and cascading unlocks overlooking or misconfiguring something becomes more likely. Having a simple GUI option for that would be great for peace of mind.

The wording used could be interpreted as still needing the Command Deck for setup, but not for management afterwards. Do we know whether this how it should be interpreted, or that the initial setup could also be done locally once 1.0 has been released? I have to say I appreciate the willingness of the HexOS team to listen to features suggested by the community and to actually implement them.

Nice score! May I suggest to monitor the power consumption for a bit after getting everything up and running? If power is cheap around your parts you probably don't need to worry, but if it is not, things could quickly add up, as tends to be the case with anything running 24/7 and doubly so with more venerable hardware. It's probably fine, but just so you don't get blindsided by a big bill. That being said, tinkering with server hardware can be lots of fun. Desktop hardware is cool and all, but the specialized enterprise features they put on servers can be interesting to play around with. If you're not familiar, be sure to check out the iDRAC!

I third this feature request. The job of a NAS is both making data available to you, and unavailable to anyone else who isn't authorized. If someone can just walk off with your server or a drive and gain access to all your personal data, the system is fundamentally unsafe, and not doing its job. Hardware theft should be a financial matter, not a data breach and a major long term worry. Of course, encrypted disks also make warranty returns or decomissioning hardware less of a hassle. I can see arguments for and against enabling full disk encryption by default, even though I feel users should be recommended to do so, while obviously also making clear that losing your password means losing all your data.