Kopy Posted May 5 Posted May 5 I would like to see an option of an one click full disk encryption at system setup (or disk/pool or per application setup). Then it should work like in the TrueNAS interface with a warning ⚠️ about the possibility to lose all data if the corresponding password/key is not stored properly and so on... It would be preferable to encrypt all the folders below automatically too, since the title “Full disk encryption ...". 1 Quote
Kopy Posted May 5 Author Posted May 5 Tried to be precise and forgot to be polite, I am sorry. 🫣Thanks for reading. Quote
p3t3rsn Posted May 14 Posted May 14 On 5/5/2025 at 2:41 AM, Kopy said: I would like to see an option of an one click full disk encryption at system setup (or disk/pool or per application setup). Then it should work like in the TrueNAS interface with a warning ⚠️ about the possibility to lose all data if the corresponding password/key is not stored properly and so on... It would be preferable to encrypt all the folders below automatically too, since the title “Full disk encryption ...". I second that recommendation. Quote
fren shaped Posted 11 hours ago Posted 11 hours ago I third this feature request. The job of a NAS is both making data available to you, and unavailable to anyone else who isn't authorized. If someone can just walk off with your server or a drive and gain access to all your personal data, the system is fundamentally unsafe, and not doing its job. Hardware theft should be a financial matter, not a data breach and a major long term worry. Of course, encrypted disks also make warranty returns or decomissioning hardware less of a hassle. I can see arguments for and against enabling full disk encryption by default, even though I feel users should be recommended to do so, while obviously also making clear that losing your password means losing all your data. Quote
fren shaped Posted 8 hours ago Posted 8 hours ago I want to add that I realize that there's a difference between encrypting your dataset, and full disk/system encryption. Encrypting your datasets prevents people from stealing your data and is arguably the most vital. Full disk encryption/system encryption prevents access to any and all (meta)data that might be on the system drive, and helps with boot disk warranty returns and decomissioning. The threat model is slightly different, but also partially overlaps, and I'd consider both valuable additions. If dataset encryption could be inherited from the system encryption in the same way a dataset can inherit encryption from a parent in TrueNAS, things would be pretty straightforward and easy to wrap your head around. Manually setting up full disk LUKS encryption is incredibly flexible, but once you start working with multiple drives and cascading unlocks overlooking or misconfiguring something becomes more likely. Having a simple GUI option for that would be great for peace of mind. Quote
fren shaped Posted 2 hours ago Posted 2 hours ago After doing some reading, it seems TrueNAS does not support LUKS at all. So with encrypted datasets the data is protected when a single drive gets stolen out of a server, or returned/sold/decomissioned, but when the whole server gets stolen, it boots right up and unlocks any encrypted drives with the on board encryption keys. You can argue how big that issue practically is when the server is locked up in a datacenter, but in the world at large, that's definitely not acceptable. I hope HexOS can improve on this situation, as many home servers will be small boxes that are portable enough. It walking off is one of the more likely threats, after hardware failure and misconfiguration perhaps. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.