FreeNAS Encryption

FreeNAS Encryption

  • Make sure your CPU supports AES-NI to avoid a decrease in performance.  From the Shell, enter: dmesg | grep aes This will display if your hardware supports AES.
  • The boot drive should ideally be a mirrored pair of SATA SSDs, not USBs.  
  • Make sure that your System Dataset is running on your boot drive not a data pool.  You can check and move this under: System - System Dataset.
  • When you create the data volume select the encryption box.  You can not encrypt an existing volume, it must be done when the volume is created.
  • Download the encryption key to a safe location.  Every time you make any changes to the pool, download the new key.
  • Upon boot, FreeNAS will unlock the pool automatically without any prompting from the user by accessing the encryption key saved on the boot media.  Be advised that your data will not remain encrypted if someone physically takes the boot media along with the data pool drives.
  • The recommended procedure is to also create a passphrase.  When using the additional passphrase, the data pool will not automatically decrypt upon reboot.  After rebooting you will be required to enter the passphrase for FreeNAS to decrypt the data pool.  This is a slight inconvenience however it will prevent access to your data pool if someone physically takes the entire FreeNAS server (boot drive and data pool).

Popular Posts