August 14, 20241 yr Note: this is mostly about ZFS pools. I have no idea how this would work for arrays. ZFS has the ability to create encrypted datasets, allowing a more granular control over encryption. Compared to LUKS, it has some clear advantages: 1. Encryption, like compression and other features, can be controlled at the dataset level, meaning one does not have to suffer the penalty of FDE via LUKS for the entire pool. 2. Snapshotting is faster (the data structures used for snapshotting itself aren't encrypted) and snapshots can be sent without disclosing the key, meaning off-site backups stay encrypted with full secrecy (and no overhead in decrypting anything during send) LUKS also has its own advantages, but this is besides the point for this feature request, as it can never do encryption for a single dataset (which becomes a share in unRAID) nor keep backups fully secret both in flight and at rest, out of the box, for off-site backups; which already answers the question "but isn't our LUKS support enough?" Unlocking it can be done in similar ways as to LUKS (password, keys locate in some external storage, etc.) so I think this is a matter of figuring out the tooling and GUI to support this. Ideally it should work exactly like LUKS does and ask for the password on array start. Open questions: should it ever allow the array to start with an unmounted encrypted dataset? I think the answer should be "no", but input is welcomed. References: it seems I'm not the first to talk about it here, but I could not find a real feature request: https://forums.unraid.net/topic/169948-best-way-to-load-key-and-mount-zfs-native-encryption-datasets/
April 7, 20251 yr To add to this, at the moment there's no way to use shares (which is a rather major feature of a NAS ) with a native encrypted ZFS pool because even though you can manually load the key, there is no way to tell Unraid that the share is now unlocked, so it still thinks it's an "Unmountable: wrong or no file system". The good news is that everything is working fully in Unraid, other than emphttpd is not calling zfs load-key <pool name> on startup with a user provided password or a key file, (you can see in the logs all of the mount process working fine until it exits because the key isn't loaded) so I'm hopeful that Lime can add this in quite easily in a future update by reusing the UI system already present for encrypted LUKS systems and just calling the command. Calling the command manually makes everything work and mount fine, but then Unraid still doesn't let you make shares because it didn't do it itself during array start. Apr 7 21:25:41 Sybil emhttpd: errors: No known data errors Apr 7 21:25:41 Sybil emhttpd: shcmd (246): /usr/sbin/zfs set -u mountpoint=/mnt/main main Apr 7 21:25:41 Sybil emhttpd: shcmd (247): /usr/sbin/zfs mount -o atime=off main Apr 7 21:25:41 Sybil root: cannot mount 'main': encryption key not loaded Apr 7 21:25:41 Sybil emhttpd: shcmd (247): exit status: 1 Apr 7 21:25:41 Sybil emhttpd: shcmd (248): /usr/sbin/zpool export -f main Apr 7 21:25:41 Sybil emhttpd: shcmd (249): rmdir /mnt/main Apr 7 21:25:41 Sybil emhttpd: main: mount error: wrong or no file system @andrebrait - Just to confirm, you don't have any SMB shares working for the pool either do you? I'd settle with a hacky solution for the time being but I haven't been able to find a way to use the native share system while emhttpd isn't trying to load the key itself. Edited April 7, 20251 yr by Alexstrasza
April 7, 20251 yr Author @Alexstrasza have you tried the strategy to automatically unlock the dataset I present here? https://github.com/andrebrait/unraid-native-zfs-encryption
April 7, 20251 yr Author @Alexstrasza I do have a share that is the root encrypted dataset itself. See the repository above, where I create the `appdata-crypt` share.
April 7, 20251 yr 14 minutes ago, andrebrait said: @Alexstrasza I do have a share that is the root encrypted dataset itself. See the repository above, where I create the `appdata-crypt` share. Aha! By creating a 'sacrificial' pool on a spare drive all of the other shares appeared in the share config properly. Thanks for pointing me in the right direction and fingers crossed for full integration with the UI soon !
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.