Pool encryption vs encrypted folder within pool (veracrypt)

[Norde]

Hello TrueNAS community,

I'm about to join the TrueNAS user club and have a question about encrypting my data.

Only a small part of my data is really sensitive. So I was wondering whether it wouldn't be wiser to keep an unencrypted pool and simply place an encrypted folder in it (using veracrypt). Less constraint in terms of server management, restoration on disk failure and less demanding in terms of performance (my hardware is an aging quad-core Ivy Bridge).


Is this a good idea, or are there other constraints I need to think about?
(for example, in the event of data corruption, what happens to the encrypted folder - is it lost entirely?)

 

[winnielinnie]

Why not use an encrypted dataset just for these files? It's native to ZFS, transparent in its usage, less overhead.

 

[Norde]

Sounds a better option indeed. How does these encrypted dataset works from the user side?
(I've read the documentation but it's not very clear on this subject)

Does the dataset can be unlocked when an user access to the shared folder and then type the passphrase or is it from the server side only?

 

[winnielinnie]

The locking / unlocking is done on the server itself. You can use a passphrase to encrypt a particular dataset, and manually lock/unlock it from the Pools page.

When it's locked, the data is inaccessible. When it's unlocked, the data is accessible, which means it can be read/written via SMB, NFS, etc.

You'd access the files and folders over a network share, for example.

When you create a new pool, make sure to NOT choose "encryption". This will leave the top-level root dataset unencrypted. You can decide which child datasets you want to use encryption.

 

[Norde]

Thanks a lot for these information and your time @winnielinnie !